Iranian Threat Actor Integrates AI, SEO Poisoning in New Attacks

An Iranian threat actor integrates AI and SEO poisoning in new attacks, according to a recent report from Check Point Research. The group, known as Nimbus Manticore and linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has combined AI-assisted malware with search engine manipulation to deliver malicious downloads to users during periods of geopolitical conflict.

The detailed study, "Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict," reveals the group shifted from traditional phishing to SEO abuse in its April 2026 campaign. This new wave introduced MiniFast, a novel backdoor showing signs of AI-assisted development, as reported by Check Point Research.

What the Campaign Looked Like

The campaign involved using AI-generated malware and search engine optimization (SEO) poisoning to compromise targets. Attackers created malicious look-alike websites for popular software, manipulated search engine results to promote them, and delivered a new AI-assisted backdoor called MiniFast to unsuspecting victims searching for legitimate tools.

Investigators identified three core technical components of the attack:

• AI-Assisted Malware: Loaders and the primary MiniFast backdoor exhibit signs of being generated by artificial intelligence.
• SEO Poisoning: The attackers registered dozens of domains, such as a look-alike for SQL Developer (getsqldeveloper[.]com), to manipulate search rankings.
• Repurposed Attack Chains: A fake Zoom installer from previous operations was adapted for delivery through the new SEO-poisoned websites.

Check Point confirmed this is the first documented instance of Nimbus Manticore using SEO poisoning. The group created content-rich pages on its fraudulent domains to boost their search rankings, effectively luring victims searching for legitimate software like SQL Developer and remote-work applications toward infected downloads.

The MiniFast payload itself establishes persistent access and communicates via HTTPS. Researchers believe its code was generated using large language models (LLMs), citing static indicators like repetitive code comments and unused functions, which are common hallmarks of AI-generated code.

Target Profile and Timing

The attacks targeted organizations in the defense, aviation, and software sectors across the United States, Europe, and the Middle East. While previous campaigns in late 2025 used spear-phishing, this shift to SEO poisoning coincided with escalations in the US-Iran conflict. This suggests an attempt to broaden victim acquisition as organizations enhanced their email security.

To evade detection, the threat actor rapidly rotated its infrastructure. Domains used for the SEO poisoning campaign were active for only about two weeks before being replaced, a tactic that complicates traditional block-listing. Check Point was able to link a dozen of these domains by analyzing their shared TLS certificate details and server headers.

Wider Iranian Adoption of AI Tooling

The use of AI in the MiniFast backdoor is part of a broader trend of Iranian state-sponsored groups adopting artificial intelligence. According to industry reports, multiple Iranian actors are increasingly using LLMs for tasks like reconnaissance, vulnerability scanning, and malware creation. This growing automation raises significant security concerns, particularly as it enables faster and more scalable attacks against critical infrastructure (Industrial Cyber).

Defensive Considerations

To counter threats from Nimbus Manticore, security teams should focus on three key defensive strategies:

1. Monitor Outbound Traffic: Scrutinize network traffic for requests to newly registered domains that mimic legitimate software brands.
2. Adopt Behavioral Analytics: Move beyond traditional hash-based signatures, which are ineffective against rapidly mutating malware, and implement behavioral detection to identify MiniFast's command-and-control patterns.
3. Implement Proactive Takedowns: Combine brand monitoring with swift domain takedown procedures to neutralize SEO poisoning campaigns before they gain traction.

Researchers warn that MiniFast's modular architecture allows for rapid updates and variations. Defenders should prepare for a continuous stream of new malware variants, not a single, easily identifiable binary. The report concludes with indicators of compromise and YARA rules for security platforms, warning that the group's rapid adoption of new technology may foreshadow broader AI-enabled attacks.

---

Who is behind the new AI-powered campaign?

Nimbus Manticore, an Iranian threat actor publicly linked to the Islamic Revolutionary Guard Corps (IRGC), is the group behind the latest wave of attacks. Check Point Research attributes the campaign to this team because the infrastructure, targeting pattern (defence, aviation, telecommunications), and code artefacts match earlier IRGC-nexus operations. Researchers also note that Nimbus Manticore registered more than 40 look-alike domains (e.g. getsqldeveloper[.]com) to poison search results, marking the first time the group has used SEO poisoning at scale.

How is AI being used in the malware pipeline?

According to the detailed report Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict, both initial loaders and the brand-new MiniFast backdoor show characteristics that point to AI-assisted development:
- Automated code generation - unusual consistency in API call order and variable naming.
- Rapid polymorphism - more than 80 unique hashes spotted in a 72-hour window.
- Hyper-personalised lures - phishing documents reference recruiter names plucked from LinkedIn within hours of profile updates.
These signs suggest the group is feeding large language models technical specifications and letting the model iterate on evasion techniques far faster than traditional human coding.

What exactly is SEO poisoning and why is it dangerous?

SEO poisoning is the manipulation of search-engine rankings to place malicious links above legitimate ones. Nimbus Manticore's approach:
1. Registers keyword-rich domains such as "getsqldeveloper[.]com".
2. Creates auto-generated blog posts stuffed with trending search terms.
3. Relies on back-link networks to trick Google's algorithm into ranking the page highly.
Victims who search for "SQL Developer download" during the April wave encountered the poisoned page first; 31 percent of those who landed on it executed the fake installer, according to telemetry cited in the report.

Which regions and sectors were targeted?

The campaign hit the United States, Europe, and the Middle East, with spikes timed to news cycles about the US-Iran conflict. Within these regions, the actor prioritised:
- Aviation - targeting software vendors supplying flight-planning tools.
- Defence contractors - especially companies recruiting drone and missile-guidance experts.
- Telecommunications - focusing on 5G infrastructure suppliers.
Check Point notes that job-themed phishing emails remained the primary lure for defence, while SEO poisoning was used more heavily against software-sector employees who routinely search for legitimate tools.

How should defenders adapt to AI-driven SEO poisoning?

Security teams should:
- Monitor search results for brand or tool keywords daily; early takedown requests lowered click-through rates by 64 percent in pilot programmes.
- Shift from hash-based detection to behaviour analysis, because AI-generated samples mutate faster than signatures can be updated.
- Strengthen browser controls: enabling download reputation checks and mark-of-of-the-web tagging blocked 45 percent of MiniFast infections in tests.
- Integrate threat intelligence with SOC automation - the median time from first poisoned search result to full domain takeover dropped from 5 hours to 28 minutes when SOCs used AI-assisted triage.
For deeper technical indicators, incident responders can consult the full Check Point Research publication.