Iranian APT Uses SEO Poisoning to Deliver Fake SQL Developer Malware Installer

HomeCyber Security News Iranian APT Uses SEO Poisoning to Deliver Fake SQL Developer Malware Installer By Tushar Subhra Dutta May 25, 2026 A well-known Iranian threat group has found a new way to push malware onto people’s machines. Instead of sending phishing emails, the group built a fake website that impersonated a real database software download page and used search engine tricks to rank it near the top of results. Anyone who searched for the tool online and clicked the wrong link walked away with a backdoor quietly installed on their system. The group behind this activity is Nimbus Manticore, also tracked as UNC1549, and it operates under Iran’s Islamic Revolutionary Guard Corps (IRGC). The group has a long history of targeting software and aviation professionals through career-themed phishing lures. What makes this latest wave different is the use of search engine manipulation as a delivery mechanism, something researchers had not observed from this group before. Check Point Research analysts identified this activity across three waves between February and April 2026, coinciding with and following the US military campaign against Iran known as Operation Epic Fury. According to Check Point said in a report shared with Cyber Security News (CSN), the group showed a strong ability to rapidly adapt tools and maintain infrastructure even under active wartime conditions. The newest wave, which researchers call the “SQL Developer” campaign, unfolded in April 2026. The attackers registered a fake domain called getsqldeveloper[.]com that mimicked a legitimate download page for Oracle’s SQL Developer, a widely used database management tool. Users who visited the site and attempted a download received a weaponized installer that silently deployed a newly discovered backdoor called MiniFast. The operation was built on more than just one fake site. The attackers registered dozens of domains that all pointed back to the main fake page, boosting its ranking through link-based signals. The site also crammed in repeated phrases like “Download SQL Developer” to climb search results. At the time of analysis, the bogus domain appeared near the top of Bing and DuckDuckGo results for the search term “sql developer.” Iranian APT Uses SEO Poisoning The shift to SEO poisoning marks a real change in how Nimbus Manticore runs its operations. Their past campaigns nearly always relied on tailored phishing emails with fake job offers aimed at employees in aviation and software companies. During Operation Epic Fury – Attack Chain (Source – Check Point) This time, instead of approaching targets directly, the group placed itself in the path of users who were already looking for a trusted piece of software. The fake site was crafted to look like a real download page. Once a user ran the installer, the infection started quietly in the background using a technique called AppDomain hijacking, which abuses how the .NET runtime loads application configuration files. Screenshot of the getsqldeveloper[.]com site (Source – Check Point) This allowed the malicious DLL to execute inside the context of a legitimate, trusted process without raising immediate suspicion. MiniFast Backdoor and AI-Assisted Development MiniFast is a 64-bit Windows DLL that functions as a full-featured backdoor built for long-term remote access. It communicates with attacker servers using structured HTTP endpoints and disguises its traffic by impersonating a Chrome browser through a hardcoded User-Agent string. Operators can use it to run shell commands, manage files, list running processes, upload data, and even attempt privilege escalation. Check Point researchers also found clear signs that the malware was developed with help from AI tools. The code includes excessive error handling, verbose function names, and detailed debug messages that are common patterns in AI-generated code. The group appears to be using large language models to speed up development and push out updated tools faster under wartime operational pressure. Security teams are strongly advised to monitor for unexpected scheduled task changes and unusual DLL loading behavior, as these are central to the group’s attack method. Users and organizations should always download software directly from official vendor sites rather than relying on search engine results, since SEO poisoning can push fake pages ahead of genuine ones with little warning. Indicators of Compromise (IoCs):- Type Indicator Description SHA256 10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d Malicious file hash SHA256 eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71 Malicious file hash SHA256 781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690 Malicious file hash SHA256 2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc Malicious file hash SHA256 f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03 Malicious file hash SHA256 a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf Malicious file hash SHA256 63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4 Malicious file hash SHA256 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 Malicious file hash SHA256 bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad Malicious file hash SHA256 ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e Malicious file hash SHA256 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 Malicious file hash SHA256 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864 Malicious file hash SHA256 485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3 Malicious file hash SHA256 64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c Malicious file hash SHA256 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 Malicious file hash SHA256 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 Malicious file hash SHA256 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa Malicious file hash SHA256 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b Malicious file hash SHA256 5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8 Malicious file hash SHA256 0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40 Malicious file hash SHA256 d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 Malicious file hash SHA256 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d Malicious file hash SHA256 f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c Malicious file hash SHA256 b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 Malicious file hash SHA256 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 Malicious file hash SHA256 a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441 Malicious file hash SHA256 dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee Malicious file hash Domain business-startup[.]org C2 / malicious infrastructure domain Domain business-startup.azurewebsites[.]net C2 / malicious infrastructure domain Domain businessstartup.azurewebsites[.]net C2 / malicious infrastructure domain Domain buisness-centeral.azurewebsites[.]net C2 / malicious infrastructure domain Domain buisness-centeral-transportation.azurewebsites[.]net C2 / malicious infrastructure domain Domain buisness-centeral-transportation[.]com C2 / malicious infrastructure domain Domain licencemanagers.azurewebsites[.]net C2 / malicious infrastructure domain Domain licencesupporting.azurewebsites[.]net C2 / malicious infrastructure domain Domain peerdistsvcmanagers.azurewebsites[.]net C2 / malicious infrastructure domain Domain nanomatrix.azurewebsites[.]net C2 / malicious infrastructure domain Domain PremierHealthAdvisory[.]com C2 / malicious infrastructure domain Domain PremierHealthAdvisory[.]azurewebsites.net C2 / malicious infrastructure domain Domain Premier-HealthAdvisory[.]azurewebsites.net C2 / malicious infrastructure domain Domain ramiltonsfinance[.]com C2 / malicious infrastructure domain Domain ramiltonsfinance.azurewebsites[.]net C2 / malicious infrastructure domain Domain ramiltons-finance.azurewebsites[.]net C2 / malicious infrastructure domain Domain globalitconsultants.azurewebsites[.]net C2 / malicious infrastructure domain Domain globalit-consultants.azurewebsites[.]net C2 / malicious infrastructure domain Domain global-it-consultants.azurewebsites[.]net C2 / malicious infrastructure domain Domain global-it-checkers.azurewebsites[.]net C2 / malicious infrastructure domain Domain global-it-checkbusiness.azurewebsites[.]net C2 / malicious infrastructure domain Domain global-check-itbusiness.azurewebsites[.]net C2 / malicious infrastructure domain Domain global-check-business-it.azurewebsites[.]net C2 / malicious infrastructure domain Domain globalbusiness-checkers-it.azurewebsites[.]net C2 / malicious infrastructure domain Domain getsqldeveloper[.]com Fake SQL Developer download site used for SEO poisoning Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access How to Close the Most Expensive Gap in Your SOC  Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave Deleted Google API Keys Continue Accessing Gemini, BigQuery, and Maps APIs Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks Latest News Cyber Security News Hackers Actives Scanning SonicWall Firewall Interfaces – 597,000 Sessions Observed Cyber Security News Italian Authorities Dismantled CINEMAGOAL App that Enables Access to Various Streaming Platforms Cyber Security News MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns Cyber Security News WhatsApp Chat Histories Stored Unencrypted on macOS and iOS Cyber Attack News Authorities Seized 800 Servers of Hosting Company Used to Launch Cyberattacks