MiniJunk
MiniJunk is a Windows backdoor used by the Iranian threat actor Nimbus Manticore, which reporting also links or overlaps with UNC1549, Smoke Sandstorm, TA455, and Tortoiseshell, and is assessed as affiliated with the IRGC. It is described as an evolution of the earlier Minibike implant, also known as SlugResin. Reporting places MiniJunk in espionage campaigns from at least 2025 through 2026 targeting high-value organizations and professionals in aerospace, defense manufacturing, telecommunications, aviation, satellite, software, and related sectors across Western Europe, the Middle East, the United States, Saudi Arabia, Australia, Israel, and the UAE.
Observed delivery and execution methods include recruitment- and career-themed spear-phishing, fake career portals impersonating companies such as Boeing, Airbus, Rheinmetall, flydubai, Telespazio, and Safran, OnlyOffice-hosted archives, and trojanized installers. Multiple reports state that MiniJunk was delivered via DLL sideloading and AppDomain hijacking. In 2026 activity, a benign Microsoft-signed executable and malicious .config file were used to abuse the .NET runtime and load a rogue DLL. Other infection chains used Setup.exe to sideload a malicious userenv.dll, then launched SenseSampleUploader.exe to sideload xmllite.dll. Reporting also describes a previously undocumented technique in which the malware modified low-level process execution parameters, specifically the DLL search path via RTL_USER_PROCESS_PARAMETERS/DllPath, to force DLL loading from attacker-controlled paths.
MiniJunk establishes persistence by copying itself to %AppData%\Local\Microsoft\MigAutoPlay\ and creating scheduled-task or autorun execution for MigAutoPlay.exe. In some cases the persistent executable displayed a fake network error to reduce suspicion. One report notes MiniJunk hooks ExitProcess when running as MigAutoPlay.exe. The malware collects host identifiers including computer name and domain-qualified username, and communicates with multiple hardcoded HTTPS command-and-control servers, typically three to five in rotation for redundancy. Network data has been described as encoded rather than encrypted, including byte and string reversal.
Documented backdoor capabilities include system identification, file read/write, directory listing, file deletion, file move/rename, process creation, process listing or termination, DLL loading, and execution of additional payloads. Reporting consistently emphasizes strong anti-analysis measures: heavy compiler-level obfuscation, junk code insertion, control-flow obfuscation, opaque predicates, encrypted strings, and binary size inflation, with some researchers assessing the obfuscation may have been implemented through custom LLVM passes. Some campaigns also used valid SSL.com code-signing certificates to reduce detection.
MiniJunk was frequently deployed alongside MiniBrowse, a lightweight stealer targeting Chrome and Edge credentials. In 2026 reporting, MiniJunk was described as an older backdoor later supplanted in some campaign waves by MiniFast/MiniUpdate, while Unit 42 also referenced an updated MiniJunk V2. High-confidence infrastructure and infection artifacts mentioned in the reporting include persistence under %AppData%\Local\Microsoft\MigAutoPlay\, use of Setup.exe, userenv.dll, SenseSampleUploader.exe, xmllite.dll, and AppDomain hijacking chains involving malicious configuration files and loader DLLs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The attacks, seen throughout the 2026 Iran war in March, followed previous campaigns throughout February using an older backdoor called MiniJunk.
The primary payload, dubbed MiniJunk, is an evolved version of the Minibike backdoor first documented in 2022. MiniJunk employs advanced obfuscation techniques... MiniJunk establishes persistence by copying itself to `%AppData%\Local\Microsoft\MigAutoPlay\` and creating a scheduled task... The backdoor supports commands like file reading, process creation, and DLL loading, communicating with multiple hardcoded C2 servers via HTTPS...
Over subsequent years, the group layered in additional tooling — MiniJunk, MiniBrowse, DCSyncer.Slick, DeepRoot, GhostLine, LightRail, and others...
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesBoth waves of attacks utilized career-themed phishing lures for initial access... As in previous attacks, Nimbus Manticore used career-themed phishing lures to spread MiniFast during Operation Epic Fury, specifically impersonating a U.S. domestic airline. Victims were lured to install a trojanized version of the legitimate Zoom installer after clicking a fake meeting invitation link.
Employees at software and aviation companies in Saudi Arabia and Australia received bogus career offers, luring them into downloading a ZIP archive hosted on OnlyOffice.
The threat actor uses tailored spear‑phishing from alleged HR recruters directing victims to fake career portals.
Execution
8 techniques6 Create a process and use a named pipe for its output Process path
The backdoor supports commands like file reading, process creation, and DLL loading, communicating with multiple hardcoded C2 servers via HTTPS, with data encoded through byte reversal.
User Execution: The victim runs Setup.exe from the archive.
"...the malicious site deliver weaponized archives containing advanced malware."
Another method of sending those files is through connecting and sending the JSONs to a named pipe.
Persistence
2 techniquesPrivilege Escalation
3 techniquesStealth
7 techniquesThe tools continuously evolve to remain covert, leveraging valid digital signatures, inflate binary sizes, and use multi-stage sideloading and heavy, compiler‑level obfuscation
Nimbus Manticore exploits this by inflating binaries with inert junk code blocks.
The threat actor impersonates local and global aerospace, defense manufacturing, and telecommunications organizations.
The actors also inflate binary sizes with junk code to bypass antivirus heuristics and machine-learning models that truncate analysis of large files.
Defense Impairment
2 techniques10 Move / Rename file File target, File destination
In May, Nimbus Manticore started to use the service SSL.com to sign their code.
Discovery
5 techniquesThe backdoor then collects two identifiers from the infected system: the computer name and the domain name with the username.
The backdoor then collects two identifiers from the infected system: the computer name and the domain name with the username.
4 List hard drives / List files in a folder String to list all hard drives or a directory path to list all files in
4 List hard drives / List files in a folder String to list all hard drives or a directory path to list all files in
Collection
1 techniqueThe infection chain begins with a ZIP archive file - it was named Survey.zip in a sample analyzed by Check Point - which contains a legitimate Windows executable, Setup.exe, that sideloads a malicious userenv.dll.
Command and Control
3 techniquesThe backdoor uses regular HTTPS requests using the Windows API.
3 Create file File path, URL to the fille on the C2
The backdoor supports commands like file reading, process creation, and DLL loading, communicating with multiple hardcoded C2 servers via HTTPS, with data encoded through byte reversal.
Exfiltration
1 techniqueAfter parsing the command, in this case, the backdoor sends the file from the specified path via several network requests, based on the chunk size provided as an argument.
IOCs tracked for this family
108 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Older backdoor used by Nimbus Manticore in campaigns preceding MiniFast. It was spread using career-themed phishing lures and AppDomain hijacking techniques to execute malicious payloads.
A backdoor used by Nimbus Manticore, delivered via AppDomain hijacking using a benign signed executable and malicious configuration/DLL loading chain.
A RAT family used by Nimbus Manticore and delivered via AppDomain hijacking; an updated variant called MiniJunk V2 was also observed in espionage campaigns.
MiniJunk is a malware framework/backdoor previously used by Nimbus Manticore. In this campaign, a new version of the MiniJunk backdoor was deployed via DLL sideloading/AppDomain hijacking before the actor later transitioned to MiniFast.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.