MalwareUsed by 1 actor

MiniBrowse

MiniBrowse is a lightweight credential-stealing malware family associated with the Iran-linked threat actor Nimbus Manticore, which overlaps with tracking names including UNC1549 and Smoke Sandstorm; related reporting also places it within Tortoiseshell-linked tooling. It is used in cyber-espionage campaigns targeting aerospace, defense manufacturing, telecommunications, aviation, satellite, airline, and other high-value organizations in the Middle East and Western Europe, including reported focus on Denmark, Sweden, Portugal, Israel, and the UAE. MiniBrowse is deployed alongside the MiniJunk backdoor in recruitment-themed spear-phishing operations that impersonate companies such as Boeing, Airbus, Rheinmetall, and flydubai. Victims are directed to fake career portals with unique URLs and credentials, which deliver malicious ZIP archives. The broader infection chain uses DLL sideloading and hijacking via legitimate Windows executables; MiniBrowse is specifically described as being delivered as an injected DLL. MiniBrowse has separate variants targeting Google Chrome and Microsoft Edge. Its primary function is to steal stored browser credentials and related login files. Reported behavior includes collecting system identifiers, sending victim identifiers to a predefined C2 endpoint, exfiltrating browser login-related files via HTTP POST, and exfiltrating data in JSON payloads to command-and-control servers. It also uses named pipes for internal communication. One report states MiniBrowse proceeds with browser credential theft when its C2 server responds with an HTTP status other than 200. The malware is described as optimized for stealth and avoiding security alerts, and reporting notes that MiniBrowse samples used heavy compiler-level obfuscation, including junk code insertion and encrypted strings. No standalone IOCs specific to MiniBrowse were provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Magic Hound

MiniBrowse is a lightweight stealer used by Nimbus Manticore. We observed two variants, one to steal Chrome credentials and another which targets Edge.

via checkpoint research blogresearch.checkpoint.com

MITRE ATT&CK

Techniques & procedures

19 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1566PhishingEvidence2

TacticInitial Access

The campaign employs highly targeted spear-phishing, impersonating HR recruiters from reputable organizations like Boeing, Airbus, and Rheinmetall. Victims receive personalized phishing emails with unique URLs and credentials directing them to fraudulent career portals built on React templates.

T1566.001Spearphishing AttachmentEvidence1

TacticInitial Access

These portals, often hosted behind Cloudflare to mask server IPs, deliver malicious ZIP archives disguised as legitimate software.

T1566.002Spearphishing LinkEvidence2

TacticInitial Access

The threat actor uses tailored spear‑phishing from alleged HR recruters directing victims to fake career portals.

Execution

2 techniques

T1204.002Malicious FileEvidence1

TacticExecution

"...the malicious site deliver weaponized archives containing advanced malware."

T1559.001Component Object ModelEvidence2

TacticExecution

Another method of sending those files is through connecting and sending the JSONs to a named pipe.

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

TacticsPrivilege Escalation Stealth

Both versions are DLL designed to be injected into browsers to steal the stored passwords.

Stealth

4 techniques

T1027Obfuscated Files or InformationEvidence1

TacticStealth

The tools continuously evolve to remain covert, leveraging valid digital signatures, inflate binary sizes, and use multi-stage sideloading and heavy, compiler‑level obfuscation

T1036MasqueradingEvidence1

TacticStealth

The threat actor impersonates local and global aerospace, defense manufacturing, and telecommunications organizations.

T1055Process InjectionEvidence1

TacticsPrivilege Escalation Stealth

Both versions are DLL designed to be injected into browsers to steal the stored passwords.

T1497Virtualization/Sandbox EvasionEvidence1

TacticsStealth Discovery

The actors also inflate binary sizes with junk code to bypass antivirus heuristics and machine-learning models that truncate analysis of large files.

Defense Impairment

1 technique

T1553.002Code SigningEvidence2

TacticDefense Impairment

To bolster stealth, Nimbus Manticore signs its malware with certificates from SSL.com, reducing detection rates.

Credential Access

3 techniques

T1539Steal Web Session CookieEvidence1

TacticCredential Access

Both versions are DLL designed to be injected into browsers to steal the stored passwords.

T1555Credentials from Password StoresEvidence1

TacticCredential Access

In parallel, hackers deploy MiniBrowse, a lightweight credential stealer targeting Chrome and Edge browsers. Delivered as an injected DLL, MiniBrowse extracts stored passwords.

T1555.003Credentials from Web BrowsersEvidence2

TacticCredential Access

Additionally, Nimbus Manticore deploys MiniBrowse, a lightweight stealer targeting Chrome and Edge browser credentials.

Discovery

4 techniques

T1033System Owner/User DiscoveryEvidence1

TacticDiscovery

The backdoor then collects two identifiers from the infected system: the computer name and the domain name with the username.

T1082System Information DiscoveryEvidence1

TacticDiscovery

The backdoor then collects two identifiers from the infected system: the computer name and the domain name with the username.

T1083File and Directory DiscoveryEvidence1

TacticDiscovery

For discovery, system information discovery (T1082) and file and directory discovery (T1083) have been the most prevalent methods used to map the environment.

T1497Virtualization/Sandbox EvasionEvidence1

TacticsStealth Discovery

The actors also inflate binary sizes with junk code to bypass antivirus heuristics and machine-learning models that truncate analysis of large files.

Collection

1 technique

T1560Archive Collected DataEvidence1

TacticCollection

The infection chain begins with a ZIP archive file - it was named Survey.zip in a sample analyzed by Check Point - which contains a legitimate Windows executable, Setup.exe, that sideloads a malicious userenv.dll.

Command and Control

1 technique

T1071.001Web ProtocolsEvidence2

TacticCommand and Control

The backdoor uses regular HTTPS requests using the Windows API.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence2

TacticExfiltration

After parsing the command, in this case, the backdoor sends the file from the specified path via several network requests, based on the chunk size provided as an argument.

INDICATORS OF COMPROMISE

IOCs tracked for this family

47 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

24 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

23 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app7 months ago

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

trellix blogNews

Mar 2, 2026

The Iranian Cyber Capability 2026

Part of Tortoiseshell’s modular framework, likely used for browser data harvesting as stated in the surrounding description.

polyswarmNews

Sep 29, 2025

Nimbus Manticore’s Evolving Cyberespionage Campaign

Lightweight credential stealer used by Nimbus Manticore to target Chrome and Edge browser credentials, collect system identifiers, and exfiltrate data to C2 servers using JSON payloads and named pipes.

the hacker newsNews

Sep 29, 2025

⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More

MiniBrowse is a lightweight stealer malware with versions targeting Chrome and Edge browsers to steal credentials, used by the Nimbus Manticore group.

gbhackersNews

Sep 23, 2025

Fake Job Offers Used to Deliver Advanced Malware Targeting Job Seekers

Information-stealing component/tool used by Nimbus Manticore, focused on covert collection/exfiltration of sensitive data while evading security alerts.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching47

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping19

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.