Iranian Hackers Target US Aviation and Software Sectors

An Iranian state-sponsored threat actor known as Nimbus Manticore has deployed MiniFast and MiniJunk V2 malware against aviation and software organizations [1, 2].

This escalation marks a shift in cyber-espionage tactics following a joint U.S.–Israeli military campaign against Iran in late February 2026 ^[1]. The targeted sectors, aviation and software, are critical to national infrastructure and global logistics, making them high-value targets for intelligence gathering.

The group, also identified as Screening Serpens and UNC1549, utilized two primary delivery methods to infiltrate systems [1, 2]. These include phishing emails and search-engine optimization (SEO) poisoning campaigns, which trick users into visiting malicious websites. Once a target is compromised, the attackers deploy the MiniFast and MiniJunk V2 malware families to establish a foothold within the network [1, 2].

Geographically, the campaign has spanned the United States, Europe, and the Middle East [1, 2]. The operation focuses on expanding espionage capabilities and gaining access to sensitive data ^[1]. By targeting software firms, the actors may be seeking supply-chain vulnerabilities that would allow them to pivot into other government or corporate networks.

Security researchers said the timing of these attacks correlates with the geopolitical tensions following the February 2026 ^[1] military actions. The use of SEO poisoning suggests a sophisticated approach to targeting, as it leverages the trust users place in search engine results to deliver payloads.

While the full extent of the data exfiltration is not yet public, the focus on the aviation sector suggests a specific interest in transport logistics and aerospace technology [1, 2]. Organizations in these sectors are advised to monitor for unusual network traffic and audit their SEO-facing assets for signs of poisoning.