IRGC Hackers Used AI to Build Malware During Iran War
Iranian IRGC-linked group Nimbus Manticore used AI coding tools to build a new backdoor during the US-Iran conflict, targeting aviation and software firms across three campaign waves.
6 min read
While American and Israeli aircraft ran nearly 900 strikes in the opening twelve hours of Operation Epic Fury on February 28, 2026, an Iranian group tied closely to the IRGC was already adapting. Nimbus Manticore, tracked as a state-linked hacking team since at least 2022, didn't wait for the bombs to stop. They used AI coding tools to accelerate malware development in real time, keeping operational pace with a conflict that lasted ten weeks.
A report from Check Point Research published May 22 documents three distinct campaign waves between February and April 2026. The researchers found code patterns across the group's new backdoor, MiniFast, that point to large language model involvement: excessive error handling around trivial API calls, verbose and repetitive function naming, embedded debug messages that read more like auto-produced documentation than operational code.
TL;DR
- Nimbus Manticore built a new backdoor, MiniFast, using AI coding tools during the US-Iran conflict
- Three campaign waves ran from February to April 2026, hitting aviation, software, and defense targets across the US, Europe, and Middle East
- SEO poisoning appeared for the first time in a Nimbus Manticore campaign - a fake SQL Developer download page ranked near the top of Bing and DuckDuckGo results
- AI-assisted development leaves recognizable code fingerprints; Check Point analysts used those patterns to attribute the new tooling to the same group
The War Gave Them Both Cover and Urgency
Operation Epic Fury ran from February 28 to a ceasefire on May 5. Before the campaign started, Iran had designated US tech infrastructure - including AWS, NVIDIA, Oracle, and Palantir facilities - as legitimate military targets. The conflict gave Iranian state-linked groups strong motivation to accelerate offensive cyber operations, and the fog of a shooting war provided useful cover for activity that might otherwise draw faster attribution.
Nimbus Manticore, also tracked as UNC1549, responded by upgrading its toolkit on the fly. What makes Check Point's analysis striking isn't just that the group was active during the conflict - it's that the code shows signs of a production pipeline change. The group appears to have adopted AI coding assistance as a standard part of malware development, letting them ship and iterate new tooling faster than a manual workflow would allow.
The Three Campaigns
Wave One: AppDomain Hijacking via Trojanized Zoom (February 2026) - The first campaign arrived with the opening strikes. Attackers bundled a trojanized Zoom installer into lure packages sent to targets in aviation and software companies. The installer carried a malicious DLL that used AppDomain hijacking - a .NET exploitation technique where an attacker-controlled XML .config file is placed alongside a legitimate application. When the trusted .NET runtime reads the config on launch, it loads whatever AppDomainManager class the attacker specified. That class is a DLL the attacker controls, executing inside the trusted process and sidestepping endpoint controls that look for new suspicious processes rather than malicious code loading inside known-good ones.
Wave Two: MiniFast Deployment (February-March 2026) - During the peak of Operation Epic Fury, the group dropped the previously undocumented MiniFast backdoor. The 64-bit DLL supports 16 command opcodes covering file upload and download, directory and process enumeration, persistence via scheduled tasks, UAC elevation, and remote command execution through CMD. Its command-and-control channel uses structured HTTP requests with JSON payloads, with the malware spoofing a Chrome browser User-Agent to blend into normal web traffic.
The full Nimbus Manticore attack chain during Wave One and Two, as documented by Check Point Research.
Source: research.checkpoint.com
Wave Three: SEO Poisoning via Fake SQL Developer (April 2026) - After the ceasefire, the group shifted. For the first time in any observed Nimbus Manticore operation, they used search engine optimization poisoning to distribute malware. They registered dozens of domains pointing to a single target site - getsqldeveloper[.]com - designed to impersonate Oracle's SQL Developer tool. Keyword stuffing pushed the page near the top of Bing and DuckDuckGo results for the query "sql developer." Anyone who attempted a download received MiniFast instead of the legitimate installer.
The convincing fake SQL Developer download page that ranked near the top of Bing and DuckDuckGo search results.
Source: research.checkpoint.com
The AI Fingerprint
Check Point's analysts identified specific code patterns in MiniFast samples that point to AI tool use during development.
AI-assisted development leaves distinctive structural patterns that trained analysts can identify.
Source: unsplash.com
The patterns aren't a signature of a specific LLM. They're the residue of generating functions quickly from prompts, getting verbose output, and shipping without cleanup:
# Pattern 1: error handling around calls that cannot plausibly fail
try:
hostname = socket.gethostname()
except socket.error as e:
logger.debug("Failed to retrieve hostname: %s", str(e))
hostname = "unknown_hostname_fallback"
# Pattern 2: verbose naming where a single word would do
def execute_remote_command_via_cmd_shell(command_string_input):
...
# Pattern 3: detailed debug messages that read as auto-generated documentation
logger.debug("Initiating file download operation, destination path: %s", dest_path)
Three patterns appearing together - excessive exception handling, repetitive multi-word function names, and documentation-style logging in what should be lean production code - are strong signals of LLM-produced code that wasn't reviewed before shipping.
The operational implication is significant. A group willing to trade code quality for development speed is optimizing for tempo. During a live conflict, that trade-off makes practical sense. We've seen a similar approach from financially motivated actors, where a single operator used DeepSeek and Claude to breach 600 FortiGate firewalls in five weeks. The difference with Nimbus Manticore is state backing and a geopolitical trigger.
This is also consistent with a broader trend. Supply chain attacks like the TeamPCP GitHub breach showed that sophisticated actors are shortening development cycles by any means available. AI coding tools are now part of that calculus for state-linked groups, not just independent operators.
What Defenders Should Do
Apply the Check Point IOCs immediately. The full report includes hashes and domains for MiniFast samples and the SEO poisoning infrastructure. Add them to your blocklists before anything else.
Audit.config files in.NET application directories. AppDomain hijacking leaves a concrete artifact: a unexpected or unsigned
.configfile alongside a known-good application binary. That file shouldn't be there.Enforce verified download policies for developer tooling. SEO poisoning exploits search engines, not your perimeter. SQL Developer, Visual Studio Build Tools, Python installers - all popular developer tools are viable targets. Require downloads from internal mirrors or verified package managers only.
Hunt for scheduled tasks with auto-generated names. MiniFast establishes persistence via scheduled tasks. A task with a verbose, underscore-heavy name, registered recently, pointing to an unusual binary path in a temp or user directory warrants immediate review.
Flag Chrome User-Agent traffic from non-browser processes. MiniFast's C2 masquerades as Chrome. Network logs showing JSON-formatted HTTP requests with a Chrome UA from a process that isn't a browser or browser helper are worth pulling for analysis.
Sources:
