MiniFast
MiniFast is a previously undocumented 64-bit Windows PE DLL backdoor/RAT attributed in reporting to the Iranian state-sponsored threat actor Nimbus Manticore (also tracked as UNC1549 and Screening Serpens), which is described as affiliated with the IRGC. It was observed in campaigns from February to April 2026 and replaced the older MiniJunk malware family as the final payload in later waves. Check Point reporting also refers to it as MiniUpdate.
Delivery observed in the reporting included career-themed phishing and fake meeting invitations leading to a trojanized Zoom installer, as well as SEO poisoning via a fake Oracle SQL Developer download site at getsqldeveloper[.]com. The Zoom-themed chain used AppDomain hijacking with a benign Microsoft-signed Setup.exe and malicious components including InitInstall.dll, Updater.dll, and the MiniFast payload UpdateChecker.dll. The loader displayed a fake installation flow, launched a legitimate Zoom installer, monitored for a Zoom scheduled task, and modified it for persistence. Second-stage files were copied to C:\Users<USER>\AppData\Local\Zoom\bin\update, and execution checks included requiring the host process name to be update.exe and parent process svchost.exe. In the SQL Developer campaign, users downloading from the fake site received a weaponized installer that silently deployed MiniFast; this was described as Nimbus Manticore’s first observed use of SEO poisoning.
MiniFast is described as a fully featured backdoor designed for long-term persistence and remote command execution. Reported capabilities include initial system reconnaissance and beaconing of basic host information; HTTP/JSON-based C2 communications; masquerading as Chrome traffic via a hardcoded Chrome user-agent; polling for tasks and uploading execution results; file and folder management; directory and drive listing; process enumeration and termination by PID; shell command execution via cmd.exe; file upload/exfiltration and download of additional payloads; DLL loading; ZIP archive creation; attempted privilege escalation including runas/UAC elevation; configurable polling interval and jitter; and persistence through scheduled tasks, including creation of an additional task and use of the name WindowsSecurityUpdate in one report. Reported HTTP endpoints include /rg, /agent/init, /agent/poll?token=, /agent/result, /upload/, and /files/. One report states the DLL exports a single function named CheckForUpdates.
Targeting described in the source material includes aviation and software-sector victims across the United States, Europe, the Middle East, Saudi Arabia, Australia, and other regional targets. Reported infrastructure and related malicious domains include getsqldeveloper[.]com, business-startup[.]org, business-startup.azurewebsites[.]net, licencemanagers.azurewebsites[.]net, PremierHealthAdvisory[.]com, and ramiltonsfinance[.]com. Check Point assessed that MiniFast likely shows signs of AI-assisted development, citing excessive error handling, defensive programming around simple API calls, repetitive verbose naming, modular organization, and detailed debug-style strings/messages.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Iran state-sponsored threat group Nimbus Manticore conducted attacks during the U.S.-Israel military campaign Operation Epic Fury targeting the U.S. aviation industry and others for deployment of a new AI-assisted backdoor called “MiniFast,” Check Point Research reported Friday.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesFor the first time, we observed the use of SEO poisoning as an additional malware delivery method... the actor abuses search engine optimization techniques by registering dozens of domains that link to the bogus domain, getsqldeveloper[.]com.
Check Point said Nimbus Manticore has shifted tactics in its most recent attacks... using search engine optimization (SEO) poisoning to impersonate the software Oracle SQL Developer and spread MiniFast... Keyword stuffing of phrases such as “download SQL Developer” and “SQL Developer free” was also used to help the fake website surface high in search results for engines such as Bing and DuckDuckGo.
Initial Access
2 techniquesBoth waves of attacks utilized career-themed phishing lures for initial access... As in previous attacks, Nimbus Manticore used career-themed phishing lures to spread MiniFast during Operation Epic Fury, specifically impersonating a U.S. domestic airline. Victims were lured to install a trojanized version of the legitimate Zoom installer after clicking a fake meeting invitation link.
It's suspected that the activity was part of a phishing campaign using fake meeting invitations.
Execution
5 techniquesThe installer was not a crude knockoff; it demonstrated detailed knowledge of the legitimate Zoom installation process, even monitoring for the creation of a specific scheduled task that Zoom normally generates during setup, then silently hijacking that task to establish persistence without triggering obvious alarms.
It then monitors for the creation of a scheduled task — a part of the legitimate Zoom installation process — and modifies this task to load the second-stage components... Prior to executing the payload, the loader ensures that the hosting process name is update.exe and the parent process is svchost.exe to maintain stealth and persistence via the scheduled task... The backdoor supports commands for a wide range of actions including... creation of an additional scheduled task.
The backdoor supports commands for a wide range of actions including file and folder management and exfiltration, file download from the C2, shell command execution...
Persistence
2 techniquesThe installer was not a crude knockoff; it demonstrated detailed knowledge of the legitimate Zoom installation process, even monitoring for the creation of a specific scheduled task that Zoom normally generates during setup, then silently hijacking that task to establish persistence without triggering obvious alarms.
It then monitors for the creation of a scheduled task — a part of the legitimate Zoom installation process — and modifies this task to load the second-stage components... Prior to executing the payload, the loader ensures that the hosting process name is update.exe and the parent process is svchost.exe to maintain stealth and persistence via the scheduled task... The backdoor supports commands for a wide range of actions including... creation of an additional scheduled task.
Privilege Escalation
3 techniquesThe installer was not a crude knockoff; it demonstrated detailed knowledge of the legitimate Zoom installation process, even monitoring for the creation of a specific scheduled task that Zoom normally generates during setup, then silently hijacking that task to establish persistence without triggering obvious alarms.
It then monitors for the creation of a scheduled task — a part of the legitimate Zoom installation process — and modifies this task to load the second-stage components... Prior to executing the payload, the loader ensures that the hosting process name is update.exe and the parent process is svchost.exe to maintain stealth and persistence via the scheduled task... The backdoor supports commands for a wide range of actions including... creation of an additional scheduled task.
Opcode 0xB0 Request UAC Elevation pathOrCommand Attempts to relaunch a process with elevated privileges using runas.
Stealth
5 techniquesThe loader itself is lightly obfuscated. Most readable strings are decrypted at runtime using a simple combination of ROT13 encoding and reversed-string transformations.
Victims were lured to install a trojanized version of the legitimate Zoom installer... AppDomain hijacking is again used to load the second-stage loader Updater.dll via the Setup.exe binary — now renamed to Update.exe... The malware impersonates a Chrome browser user agent to blend in with legitimate traffic.
At the beginning of its execution, the loader performs a simple anti-analysis validation intended to evade sandbox environments and automated dynamic analysis systems. The malware only continues execution if: The hosting process name is update.exe The parent process is svchost.exe
Defense Impairment
1 techniqueMany of the files used throughout the campaign had valid digital signatures via SSL.com, continuing the abuse of trusted signing infrastructure we previously documented.
Discovery
5 techniquesBefore entering its tasking loop, the malware performs basic host reconnaissance by collecting information such as the username, hostname, and domain info.
The commands supported by the backdoor are varied, enabling file operations, directory listings, process enumeration
MiniFast performs system reconnaissance and then awaits commands from the C2 server...
The commands supported by the backdoor are varied, enabling file operations, directory listings
At the beginning of its execution, the loader performs a simple anti-analysis validation intended to evade sandbox environments and automated dynamic analysis systems. The malware only continues execution if: The hosting process name is update.exe The parent process is svchost.exe
Collection
2 techniquesThe commands supported by the backdoor are varied, enabling ... ZIP archive creation
Opcode 0x0D Create ZIP Archive sourcePath , zipPath Creates a ZIP archive from files or directories.
Command and Control
4 techniquesMiniFast, the successor of MiniJunk, enables extensive control of the victim’s machine through API-based communications with the attacker’s command-and-control (C2) server... MiniFast performs system reconnaissance and then awaits commands from the C2 server, transmitting data in the JSON format. The malware impersonates a Chrome browser user agent to blend in with legitimate traffic.
To blend into legitimate network traffic, the malware impersonates a Chrome browser using the following hardcoded User-Agent string: Mozilla/5.0 ... Chrome/146.0.0.0 Safari/537.36 | The implant communicates with its C2 (command and control) infrastructure using an API-style architecture with JSON-formatted data exchanges... The backdoor implements several structured HTTP endpoints throughout the infection lifecycle.
It communicates with a remote server over HTTP requests to fetch tasks, upload command execution results, exfiltrate files, and download additional payload from the server.
This wave also introduced a previously unseen backdoor that Check Point has named MiniFast... it is a fully featured remote access trojan supporting file operations, process management, privilege escalation, and DLL loading.
Exfiltration
1 techniqueThe backdoor supports commands for a wide range of actions including file and folder management and exfiltration, file download from the C2, shell command execution...
Impact
1 techniqueThe commands supported by the backdoor are varied, enabling ... process termination using its PID
IOCs tracked for this family
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
AI-assisted backdoor used by Nimbus Manticore that provides extensive control of infected machines via API-based C2 communications. It performs system reconnaissance, waits for commands, transmits data in JSON, impersonates a Chrome user agent, and supports file/folder management and exfiltration, file download, shell command execution, and creation of an additional scheduled task. It was delivered via career-themed phishing with a trojanized Zoom installer and later via SEO poisoning through fake Oracle SQL Developer sites.
A newly observed backdoor/RAT attributed to Nimbus Manticore. It supports file operations, process management, privilege escalation, and DLL loading, and the report says it appears to incorporate AI-assisted development practices.
A fully featured backdoor/RAT used for long-term persistence and remote command execution. It communicates over HTTP to fetch tasks, upload execution results, exfiltrate files, download additional payloads, beacon host information, perform file and process operations, execute commands, load DLLs, create ZIP archives, establish persistence via scheduled tasks, and use runas for privilege escalation.
MiniFast is a 64-bit Windows DLL backdoor designed for long-term remote access. It communicates over structured HTTP endpoints while impersonating a Chrome browser, and supports shell command execution, file management, process listing, data upload, and attempted privilege escalation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.