Nimbus Manticore APT Abuses Fake Recruitment Portal to Deliver Custom Malware

A state-linked hacking group has been caught running a carefully crafted fake recruitment operation to push custom malware onto unsuspecting victims.

The group, known as Nimbus Manticore and also tracked as UNC1549 and Smoke Sandstorm, has a long history of targeting professionals in the aerospace and defense sectors across the Middle East and Europe.

Their latest campaign shows a notable step up in technical sophistication, blending social engineering with a multi-stage malware delivery chain that is hard to detect.

The attackers started by reaching out to employees on LinkedIn through a fake but convincing recruiter profile. The persona claimed to be headhunting talent for Ebix, a real company in the insurance and banking technology space, and dangled a salary offer of $200,000 to make the pitch more appealing.

Victims were then directed to a polished fake hiring portal at ebix[.]recruitment-flow[.]com, which required login credentials before any malicious content was served.

Analysts at Nextron identified this sophisticated sideloading infection chain during a recent incident response engagement, attributing the activity to Nimbus Manticore with confidence. 

Nextron said in a report shared with Cyber Security News (CSN) that the group’s core tradecraft stays remarkably consistent across campaigns, even as individual tools and payloads shift between operations.

The report details how the operators have evolved their techniques while keeping the same underlying patterns in place.

Once logged into the fake portal, victims were prompted to download what appeared to be a two-factor authentication app for added security during the hiring process.

That app arrived as a ZIP archive carrying the actual malware. The entire flow was designed to look routine, lowering the victim’s guard at every step before the payload had a chance to execute.

Nimbus Manticore APT Abuses Fake Recruitment Portal

The ZIP archive contained a renamed Microsoft Visual Studio component called setup.exe, which is legitimately signed by Microsoft.

The attackers modified its configuration file to trick the .NET runtime into loading a malicious library named TOTPGuard.dll instead of following normal execution.

This technique, known as AppDomain hijacking, meant the initial process appeared clean and was unlikely to trigger standard security alerts.

After the victim ran setup.exe, they were shown a convincing fake Ebix interface asking for a secret key and then displayed a working one-time password generator.

The app behaved like a real tool throughout the process, making it far harder for victims to suspect anything was wrong.

Behind the scenes, the malware decrypted an embedded payload using hardcoded AES keys and dropped it to disk at a path inside the user’s AppData folder.

Persistence, C2, and Evasion Tactics

The malware then created a scheduled task named “BackupCheck” to run at every login, ensuring it stayed active on the infected machine.

The main payload, stored as main.dll, communicated with command-and-control servers hosted on Microsoft Azure, a trusted cloud platform that blends into normal network traffic for many organizations.

The C2 domains used benign-sounding names that matched the hiring campaign theme, making them easy to overlook during a quick review.

The native implant also ran anti-analysis checks, including verifying its own process name and checking for active debuggers by inspecting the Process Environment Block.

The operators appeared to significantly increase the level of code obfuscation compared to earlier campaigns, likely in response to prior public reporting from other security vendors.

Despite these added layers, the core functionality, including data exfiltration and C2 communication, remained consistent with previously documented Nimbus Manticore behavior.

Defenders can take several concrete steps to reduce exposure to this type of attack. Organizations should block or restrict access to freshly registered domains, particularly in sensitive departments like HR, finance, and legal.

Using Windows AppLocker to prevent execution from user-writable directories such as AppData and Temp can significantly reduce the chance of staged payloads running.

Security awareness training should also expand beyond email-based phishing to include social media platforms and job portal-based social engineering, where this group has proven especially active.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA-256	06d12a4c4e3cc725dba37445cebeba41803718ccdb63d9d637355a241f651668	Fake Airbus Job Description PDF
SHA-256	9b63b744dc1f3a24f057a404c5622ed0ca933752a00ce05117727c7d11f05536	Fake Airbus Job Description PDF
SHA-256	620c51f4376cb79f0109c21971c28661418ae50b119585e3ffdb8011189fcb7b	Fake Ebix Job Description PDF
SHA-256	d1f525eb9347133b92e9558e1413558c8348c0f35a62577f60a5192ba38eb776	TOTPGuard.zip
SHA-256	8e5fc0998838559ca8611e6c03fd998a17ffc2eade24715b2fc3e723c712eb8b	setup.exe.config
SHA-256	eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71	TOTPGuard.dll (Stager)
SHA-256	dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee	main.dll (Native Implant)
SHA-256	3628d13d2f8af7663d58dd1aa352c8f12d12233a7318ee203f01f195573a2ed2	EbixExam.Desktop.zip
SHA-256	c7ef2ec19d158301773b1590f5b5eeb362a30f725acad8f5b3a230e9f26d14be	EbixExam.Updater.dll
SHA-256	072744ce205bb89a36e563a86f30df5689e64eee75106b97ce708551c8194bbc	EbixExam.Updater.ServiceHub.dll
Domain	globalitconsultants[.]azurewebsites[.]net	C2 domain associated with main.dll
Domain	globalbusiness-checkers-it[.]azurewebsites[.]net	C2 domain associated with main.dll
Domain	global-check-business-it[.]azurewebsites[.]net	C2 domain associated with main.dll
Domain	global-check-itbusiness[.]azurewebsites[.]net	C2 domain associated with main.dll
Domain	global-it-checkbusiness[.]azurewebsites[.]net	C2 domain associated with main.dll
Domain	global-it-consultants[.]azurewebsites[.]net	C2 domain associated with main.dll
Domain	globalit-consultants[.]azurewebsites[.]net	C2 domain associated with main.dll
Domain	global-it-checkers[.]azurewebsites[.]net	C2 domain associated with main.dll
Domain	business-dns-ns-joiners[.]azurewebsites[.]net	C2 domain associated with EbixExam.Updater.ServiceHub.dll
Domain	ebix-exam-join-from-app[.]azurewebsites[.]net	C2 domain associated with EbixExam.Updater.ServiceHub.dll
Domain	business-joiners-exam[.]azurewebsiets[.]net	C2 domain associated with EbixExam.Updater.ServiceHub.dll
Domain	join-exam-now-ebix[.]azurewebsites[.]net	C2 domain associated with EbixExam.Updater.ServiceHub.dll
Domain	ebix[.]recruitment-flow[.]com	Fake Ebix hiring portal used for initial lure
File Path	AppDataRoaming2FAGuardmain.dll	Dropped payload path on disk
File Path	AppDataRoaming2FAGuardsetup.exe.config	Dropped stager config path
File Path	AppDataLocalVirtualStoreresult.con	File artifact associated with main.dll
File Path	CKAConsent.dll	File artifact associated with main.dll

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.