Iran39 malware familiesExploits CVEs in the wild

Magic Hound

Also known asagent_serpensAPT35Bohriumcalanquecharming_kittencharming_kitten_aptCOBALT ILLUSIONcobalt_mirageCrimson SandstormCuboid SandstormCURIUMDEV-0228HOUSEBLENDIMPERIAL KITTENITG18Magic HoundMint SandstormnewsbeefNewscasterNimbus ManticoreParastoophosphorousphosphorusSmoke SandstormTA453TA455TA456Tortoise ShellTortoiseshellUNC1549Yellow Liderc

APT35 is an Iranian state-sponsored threat actor. The provided content links this cluster to aliases including Magic Hound, Charming Kitten, Charming Kitten APT, Phosphorous/Phosphorus, Mint Sandstorm, Crimson Sandstorm, Cuboid Sandstorm, Smoke Sandstorm, Nimbus Manticore, UNC1549, Tortoiseshell, Agent Serpens, CURIUM, TA453, TA455, TA456, ITG18, DEV-0228, Imperial Kitten, NewsBeef, Newscaster, Bohrium, Calanque, Cobalt Illusion, Cobalt Mirage, Houseblend, Parastoo, Yellow Liderc, and others. The content states that Nimbus Manticore/UNC1549/Smoke Sandstorm overlaps with Tortoiseshell and has been publicly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), and separately describes Nimbus Manticore as an Iran state-sponsored group affiliated with the IRGC. The actor has targeted aerospace, defense, aviation, telecommunications, software, diplomatic, and public-sector victims across the Middle East, Europe, the United States, Saudi Arabia, Australia, Israel, and the United Arab Emirates. Reported operations include fake recruitment and career-themed phishing, including LinkedIn recruiter impersonation and fake hiring portals, as well as spoofed institutional identities and counterfeit documentation. The group has also targeted defense contractors and IT providers and has attempted supply-chain compromise. Tradecraft directly mentioned in the content includes spearphishing with malicious attachments, exploitation of public-facing applications, web-shell deployment, PowerShell-based execution and reconnaissance, AppDomain hijacking, scheduled-task persistence, SEO poisoning, and use of Azure-hosted command-and-control infrastructure. Magic Hound/CURIUM activity includes PowerShell scripts for initial process execution and data gathering, collection of host details such as system architecture, OS version, UUID, host name, and username, exfiltration of data from compromised machines, use of a web shell to exfiltrate a ZIP archive containing an LSASS memory dump, and deletion/overwriting of files to cover tracks. Recent activity in the content attributes 2025-2026 campaigns to Nimbus Manticore/UNC1549, including fake job campaigns against aerospace and defense professionals, trojanized installers delivered through AppDomain hijacking, and deployment of backdoors including MiniJunk and MiniFast. During Operation Epic Fury in 2026, the group targeted the U.S. aviation industry and other sectors, used fake airline job offers and a trojanized Zoom installer, and later used SEO poisoning via a fake Oracle SQL Developer site. MiniFast is described as supporting reconnaissance, command execution, file and folder operations, data exfiltration, payload download, and persistence via scheduled tasks. The content also notes earlier backdoors associated with Nimbus Manticore, including MINIBIKE, TWOSTROKE, and DEEPROOT.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Financial Services
Military

MITRE ATT&CK

Tradecraft

53 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics79 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598×2

Phishing for Information

T1598.003

Spearphishing Link

TA0042

Resource Development

2 techniques

T1583

Acquire Infrastructure

T1583.001

Domains

T1608

Stage Capabilities

T1608.006

SEO Poisoning

TA0001

Initial Access

4 techniques

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1189

Drive-by Compromise

T1190×2

Exploit Public-Facing Application

T1566×3

Phishing

T1566.001×2

Spearphishing Attachment

T1566.002×3

Spearphishing Link

T1566.003×2

Spearphishing via Service

TA0002

Execution

6 techniques

T1053

Scheduled Task/Job

T1053.005×5

Scheduled Task

T1059×2

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003×4

Windows Command Shell

T1203

Exploitation for Client Execution

T1204

User Execution

T1204.002

Malicious File

T1559

Inter-Process Communication

T1559.001

Component Object Model

T1574×3

Hijack Execution Flow

T1574.001×2

DLL

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1053.005×5

Scheduled Task

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1547

Boot or Logon Autostart Execution

T1547.001×4

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

5 techniques

T1053

Scheduled Task/Job

T1053.005×5

Scheduled Task

T1055

Process Injection

T1055.001

Dynamic-link Library Injection

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1547

Boot or Logon Autostart Execution

T1547.001×4

Registry Run Keys / Startup Folder

T1548

Abuse Elevation Control Mechanism

T1548.002

Bypass User Account Control

TA0005

Stealth

9 techniques

T1027×4

Obfuscated Files or Information

T1027.002

Software Packing

T1036×4

Masquerading

T1055

Process Injection

T1055.001

Dynamic-link Library Injection

T1070

Indicator Removal

T1070.004×2

File Deletion

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1140

Deobfuscate/Decode Files or Information

T1497

Virtualization/Sandbox Evasion

T1574×3

Hijack Execution Flow

T1574.001×2

DLL

T1622

Debugger Evasion

TA0112

Defense Impairment

2 techniques

T1222

File and Directory Permissions Modification

T1553

Subvert Trust Controls

T1553.002

Code Signing

T1553.006

Code Signing Policy Modification

TA0006

Credential Access

4 techniques

T1003

OS Credential Dumping

T1111

Multi-Factor Authentication Interception

T1539×2

Steal Web Session Cookie

T1621

Multi-Factor Authentication Request Generation

TA0007

Discovery

6 techniques

T1033

System Owner/User Discovery

T1057×3

Process Discovery

T1082×2

System Information Discovery

T1083×3

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

T1622

Debugger Evasion

TA0009

Collection

2 techniques

T1005×2

Data from Local System

T1114

Email Collection

T1114.002

Remote Email Collection

TA0011

Command and Control

4 techniques

T1071×3

Application Layer Protocol

T1071.001×3

Web Protocols

T1090

Proxy

T1105×2

Ingress Tool Transfer

T1219

Remote Access Tools

TA0010

Exfiltration

1 technique

T1041×7

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

39 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

MiniJunkThe attacks, seen throughout the 2026 Iran war in March, followed previous campaigns throughout February using an older backdoor called MiniJunk.11May 27, 2026

MiniBikeMandiant observed the following custom malware families used in the suspected UNC1549 activity. MINIBIKE — A custom backdoor written in C++ capable of file exfiltration and upload, command execution, and more. Communicates using Azure cloud infrastructure.7May 31, 2026

MiniBrowseMiniBrowse is a lightweight stealer used by Nimbus Manticore. We observed two variants, one to steal Chrome credentials and another which targets Edge.7May 26, 2026

LightRailLIGHTRAIL — A tunneler, likely based on an open-source Socks4a proxy, that communicates using Azure cloud infrastructure.5May 31, 2026

MiniFastThe Iran state-sponsored threat group Nimbus Manticore conducted attacks during the U.S.-Israel military campaign Operation Epic Fury targeting the U.S. aviation industry and others for deployment of a new AI-assisted backdoor called “MiniFast,” Check Point Research reported Friday.5May 27, 2026

34 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

16 CVEs this actor has used in observed campaigns. 16 of them exploited in the wild.

CVE-2021-34473ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange AutodiscoverIn the wildEvidence5

PHOSPHORUS Automates Initial Access Using ProxyShell ... the creation of web shells were observed during the exploitation of internet facing services in PHOSPHORUS Automates Initial Access Using ProxyShell.

CVE-2021-44228Log4ShellIn the wildEvidence3

The primary vulnerability at the center of the event and this review (CVE-2021-44228) will be known as the Log4j vulnerability... Analysts at the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) assessed CVE-2021-44228 as a critical vulnerability with a Common Vulnerability Scoring System (CVSS) Base Score of 10.0.

CVE-2023-27350Unauthenticated Authentication Bypass and RCE in PaperCut MF/NGIn the wildEvidence3

Microsoft warns that Iran-linked APT groups have been observed exploiting the CVE-2023-27350 flaw in attacks against PaperCut MF/NG print management servers. The CVE-2023-27350 flaw is a PaperCut MF/NG Improper Access Control Vulnerability. PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of SYSTEM.

CVE-2021-31207Post-auth arbitrary file write in Microsoft Exchange Server (ProxyShell)In the wildEvidence2

FIN7 has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange. ... Magic Hound has exploited ... ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

CVE-2024-1709Authentication Bypass in ConnectWise ScreenConnectIn the wildEvidence2

APT35 , also known as Magic Hound, has confirmed active exploitation of ... ConnectWise ScreenConnect (CVE-2024-1709)

11 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

321 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

321 IOCsView more in app

Domains

177 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+169

hash.sha256

76 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+68

hash.md5

46 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+38

ip.v4

13 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+5

uri

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha1

4 total

••••••••••••••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

cyber security newsNews

Jun 2, 2026

Nimbus Manticore APT Abuses Fake Recruitment Portal to Deliver Custom Malware

Conducting a fake recruitment campaign via LinkedIn and a spoofed hiring portal to deliver a multi-stage malware chain against aerospace and defense professionals.

scworldNews

May 27, 2026

Iranian threat group targets US aviation sector with AI-assisted ‘MiniFast’ backdoor | news | SC Media

Iranian state-sponsored espionage activity targeting the U.S. aviation industry, software development sector, and regional defense/aerospace organizations using career-themed phishing and, more recently, SEO poisoning to deliver backdoors including MiniFast and MiniJunk.

security affairsNews

May 26, 2026

Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers

Espionage-focused operations targeting defense, aviation, telecommunications, and software organizations using career-themed phishing, fake Zoom installers, and SEO poisoning to deliver updated backdoors during wartime conditions.

the hacker newsNews

May 26, 2026

Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning

Iran-aligned espionage actor affiliated with the IRGC, conducting phishing and SEO-poisoning campaigns against aviation, software, defense, telecommunications, and energy-related targets using fake job offers, spoofed meeting invitations, trojanized software installers, and custom backdoors for persistence and remote command execution.

+196 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping53

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal39

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs16

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables321

Domains, IPs, and hashes tied to this actor, refreshed continuously.