#threatreport #HighCompleteness Detecting Nimbus Manticore and their sideloading infection chains | 01-06-2026 Source: nextron-systems.com/2026/06/… Key details below ↓ 🧑‍💻Actors/Campaigns: Tortoiseshell 💀Threats: Dllsearchorder_hijacking_technique, Appdomain_hijacking_technique, Asyncrat, Junk_code_technique, Supply_chain_technique, 🎯Victims: Aerospace, Defense 🏭Industry: Aerospace, Bp_outsourcing, Financial 🌐Geo: Iran, Middle east 📚TTPs: ⚔️Tactics: 1 🛠️Technics: 0 🤖LLM extracted TTPs:` T1027, T1027.016, T1036, T1036.003, T1071.001, T1090, T1204.002, T1564.001, T1566.002, T1574.001, ... 🧨IOCs: - Url: 1 - File: 3 - Hash: 10 - Domain: 11 💽Software: Microsoft Visual Studio, Microsoft Word 🔢Algorithms: aes, zip 🔠Functions: TaskScheduler, CheckForUpdates 🗂️Win API: LoadLibrary, NtGlobalFlag YARA: Found #threatreport: The incident described highlights operations attributed to the Iran-nexus APT group Nimbus Manticore (also known as UNC1549 or Smoke Sandstorm), which primarily targets aerospace and defense sectors in the Middle East and Europe. This group utilizes sophisticated social engineering tactics, such as impersonating a legitimate headhunter on LinkedIn to lure victims into fake recruitment processes. Their phishing attempts include well-crafted PDFs and a legitimate-looking hiring portal, which eventually lead to the deployment of malware disguised as a two-factor authentication application. The malware employs a sideloading infection chain leveraging DLL search order hijacking and AppDomain hijacking techniques. In this instance, the malware payload is delivered in a ZIP file containing a renamed Microsoft Visual Studio component (setup.exe), which, upon execution, uses a manipulated configuration file to load an attacker-controlled assembly (TOTPGuard.dll). This setup is designed to remain inconspicuous, as the payload is signed by Microsoft and blends in with normal application behavior, thereby avoiding detection. Throughout their campaigns, Nimbus Manticore has exhibited a pattern of increasing obfuscation within their malware. The payload analyzed featured complex code obfuscation techniques, including opaque predicates and dynamic jump calculations, aimed at hindering static analysis and reverse engineering efforts. While previous implant functionalities have remained largely consistent, the enhancements in obfuscation suggest the operators are adapting to detection methodologies and improving their evasion tactics. The command-and-control (C2) infrastructure predominantly relies on Azure-hosted domains, which benefit from a trusted reputation and make adversarial traffic less likely to trigger alarms in environments accustomed to Azure services. Detection strategies have been proposed, emphasizing the analysis of domain age as a potential indicator of threat activity. Stricter access controls to new domains, particularly in sensitive business units, could mitigate exposure. To counteract these tactics, organizations are encouraged to adopt comprehensive security awareness training that covers phishing beyond email and emphasizes recognizing social engineering attacks via platforms like LinkedIn. Detecting suspicious behaviors, such as anomalous sideloading techniques and unusual application configurations, is crucial for defense against the evolving strategies of threat actors like Nimbus Manticore. Overall, while the fundamental behavior of this group remains stable, their operational sophistication continues to pose substantial challenges for cybersecurity defenses.

We're using Sonner Native at Noona to handle OTA updates with EAS Update. Call checkForUpdates() when the app mounts and in an AppState listener when it becomes active.

OK I forgot I installed GitHub Copilot and went to write a function and ... folks, we are in trouble. It's not just that this is some sort of generic checkForUpdates function that it found on GitHub. This is written specifically in Gluegun-style. This is incredible.

It's Zoom update time! There is currently an update available #Checkforupdates

Magyar's Magical Tips #Tip3 #CheckForUpdates #MakeItEasy #TheFort #HFIS #FortSTRONG #HFISUnited @AdelsteinRachel @Principal_HFIS @HFFMCSD drive.google.com/file/d/1jfs…

ATTENTION.. 📣📣 Calling all #Skippers new FAST insider build 18219 - @ SkipAhead aka.ms/wip18219skip #WindowsInsiders #Windows10 #checkforupdates @insidersireland #insidersireland

Skipping into the weekend with new FAST insider build 18214 - SkipAhead aka.ms/rom #WindowsInsiders #Windows10 ##checkforupdates @insidersireland #insidersireland

19H1 SkipAhead Build 18204 is alive... check yo settings #WindowsInsiders #Windows10 ##checkforupdates @insidersireland #insidersireland

Skip Ahead is alive... check yo settings #WindowsInsiders #Windows10 ##checkforupdates @insidersireland #insidersireland

They say safety in numbers... but no one is safe in 'What Still Remains'. #WSR #thepack #filmart #whatstillremains #comingsoon #checkforupdates @luluantariksa @dohn_n @colinodonoghue1

Stalking the screen come September...'THE PREDATOR' --- Look for our work in the film and make sure to stay updated as the premiere approaches! #asc #thepredatorfilm #checkforourwork #creatureart #predator #conceptart #september #comingsoon #checkforupdates #horrorart

Happy Wednesday! 😃 Updates for all Yummy Software apps are now available directly, and on the Mac App Store 👍 #CheckForUpdates

SCHOOL CLOSED! Apologies but we have now decided to close the school, the situation isn’t going to get any better and we want you all safe. Please make sure if you have left, that you return safely and make the most of your day. Back open tomorrow. #CheckForUpdates

A winter weather advisory is out for parts of Georgia today and early Wednesday. The best advice is to avoid being on the road unless absolutely necessary when snow, freezing rain and sleet are falling. #checkforupdates #slowdown #buckleup

Malaga Sports Tour 2017 has started! On our way to Gatwick 🛫⚽️🏉🏐 #dontforgetthepassports #checkforupdates @HarrisBeckenham

please click on the "C"icon in the OSX bar>cogwheel>preferences>checkforupdates. This should prompt you to update to v.1.0.39 2/

ActCAD 2018 New versions 84216 released. You can download from actcad.com/download-actcad-i… . Existing users can use checkforupdates command.

The May Update for the Halo app is now available in the Windows Store! #CheckForUpdates

The April Update is now available on HaloWaypoint and the Halo app! #CheckForUpdates

The latest November Update of the Halo app showcases Halo Wars: Definitive Edition and some eSports additions! #CheckForUpdates