Iranian APT Uses SEO Poisoning to Deliver Fake SQL Developer Malware Installer

A well-known Iranian threat group has found a new way to push malware onto people’s machines. Instead of sending phishing emails, the group built a fake website that impersonated a real database software download page and used search engine tricks to rank it near the top of results.

Anyone who searched for the tool online and clicked the wrong link walked away with a backdoor quietly installed on their system.

The group behind this activity is Nimbus Manticore, also tracked as UNC1549, and it operates under Iran’s Islamic Revolutionary Guard Corps (IRGC).

The group has a long history of targeting software and aviation professionals through career-themed phishing lures. What makes this latest wave different is the use of search engine manipulation as a delivery mechanism, something researchers had not observed from this group before.

Check Point Research analysts identified this activity across three waves between February and April 2026, coinciding with and following the US military campaign against Iran known as Operation Epic Fury.

According to Check Point said in a report shared with Cyber Security News (CSN), the group showed a strong ability to rapidly adapt tools and maintain infrastructure even under active wartime conditions.

The newest wave, which researchers call the “SQL Developer” campaign, unfolded in April 2026. The attackers registered a fake domain called getsqldeveloper[.]com that mimicked a legitimate download page for Oracle’s SQL Developer, a widely used database management tool.

Users who visited the site and attempted a download received a weaponized installer that silently deployed a newly discovered backdoor called MiniFast.

The operation was built on more than just one fake site. The attackers registered dozens of domains that all pointed back to the main fake page, boosting its ranking through link-based signals.

The site also crammed in repeated phrases like “Download SQL Developer” to climb search results. At the time of analysis, the bogus domain appeared near the top of Bing and DuckDuckGo results for the search term “sql developer.”

Iranian APT Uses SEO Poisoning

The shift to SEO poisoning marks a real change in how Nimbus Manticore runs its operations. Their past campaigns nearly always relied on tailored phishing emails with fake job offers aimed at employees in aviation and software companies.

This time, instead of approaching targets directly, the group placed itself in the path of users who were already looking for a trusted piece of software.

The fake site was crafted to look like a real download page. Once a user ran the installer, the infection started quietly in the background using a technique called AppDomain hijacking, which abuses how the .NET runtime loads application configuration files.

This allowed the malicious DLL to execute inside the context of a legitimate, trusted process without raising immediate suspicion.

MiniFast Backdoor and AI-Assisted Development

MiniFast is a 64-bit Windows DLL that functions as a full-featured backdoor built for long-term remote access.

It communicates with attacker servers using structured HTTP endpoints and disguises its traffic by impersonating a Chrome browser through a hardcoded User-Agent string.

Operators can use it to run shell commands, manage files, list running processes, upload data, and even attempt privilege escalation.

Check Point researchers also found clear signs that the malware was developed with help from AI tools. The code includes excessive error handling, verbose function names, and detailed debug messages that are common patterns in AI-generated code.

The group appears to be using large language models to speed up development and push out updated tools faster under wartime operational pressure.

Security teams are strongly advised to monitor for unexpected scheduled task changes and unusual DLL loading behavior, as these are central to the group’s attack method.

Users and organizations should always download software directly from official vendor sites rather than relying on search engine results, since SEO poisoning can push fake pages ahead of genuine ones with little warning.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA256	10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d	Malicious file hash
SHA256	eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71	Malicious file hash
SHA256	781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690	Malicious file hash
SHA256	2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc	Malicious file hash
SHA256	f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03	Malicious file hash
SHA256	a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf	Malicious file hash
SHA256	63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4	Malicious file hash
SHA256	74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27	Malicious file hash
SHA256	bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad	Malicious file hash
SHA256	ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e	Malicious file hash
SHA256	44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250	Malicious file hash
SHA256	0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864	Malicious file hash
SHA256	485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3	Malicious file hash
SHA256	64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c	Malicious file hash
SHA256	332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17	Malicious file hash
SHA256	9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1	Malicious file hash
SHA256	43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa	Malicious file hash
SHA256	8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b	Malicious file hash
SHA256	5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8	Malicious file hash
SHA256	0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40	Malicious file hash
SHA256	d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2	Malicious file hash
SHA256	38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d	Malicious file hash
SHA256	f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c	Malicious file hash
SHA256	b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4	Malicious file hash
SHA256	9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84	Malicious file hash
SHA256	a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441	Malicious file hash
SHA256	dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee	Malicious file hash
Domain	business-startup[.]org	C2 / malicious infrastructure domain
Domain	business-startup.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	businessstartup.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	buisness-centeral.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	buisness-centeral-transportation.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	buisness-centeral-transportation[.]com	C2 / malicious infrastructure domain
Domain	licencemanagers.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	licencesupporting.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	peerdistsvcmanagers.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	nanomatrix.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	PremierHealthAdvisory[.]com	C2 / malicious infrastructure domain
Domain	PremierHealthAdvisory[.]azurewebsites.net	C2 / malicious infrastructure domain
Domain	Premier-HealthAdvisory[.]azurewebsites.net	C2 / malicious infrastructure domain
Domain	ramiltonsfinance[.]com	C2 / malicious infrastructure domain
Domain	ramiltonsfinance.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	ramiltons-finance.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	globalitconsultants.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	globalit-consultants.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	global-it-consultants.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	global-it-checkers.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	global-it-checkbusiness.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	global-check-itbusiness.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	global-check-business-it.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	globalbusiness-checkers-it.azurewebsites[.]net	C2 / malicious infrastructure domain
Domain	getsqldeveloper[.]com	Fake SQL Developer download site used for SEO poisoning

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.