:

IRAN-LINKED GROUP USES AI MALWARE IN CYBER ATTACKS

AI DESK2 MIN READ
MON, MAY 25, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

Iranian threat actor Nimbus Manticore has resurfaced using AI-assisted malware development and SEO poisoning techniques to target companies, according to Check Point Research. The IRGC-affiliated group escalated operations during recent US-Iran tensions.

Check Point Research identified Nimbus Manticore, an Iranian threat actor with ties to the Islamic Revolutionary Guard Corps (IRGC), employing advanced techniques in recent cyber campaigns. The group leveraged artificial intelligence to develop malware and deployed SEO poisoning strategies to compromise target organizations. Attack Methods The threat actor combined multiple techniques to maximize impact. AI-assisted malware development allowed attackers to create variants faster and potentially evade traditional detection methods. Simultaneously, SEO poisoning—manipulating search results to direct users to malicious sites—served as an initial infection vector, exploiting legitimate search traffic. Operational Context Nimbus Manticore's resurgence coincided with Operation Epic Fury, reflecting heightened cyber activity during escalating US-Iran tensions. The timing suggests coordinated campaigns aligned with geopolitical developments. Implications The integration of AI tools into malware development marks an evolution in Iranian cyber capabilities. Rather than relying solely on manual coding, threat actors can now automate and accelerate payload creation, making detection and attribution more difficult. SEO poisoning extends the attack surface beyond traditional enterprise defenses, targeting users before they reach corporate networks. The group's targeting of companies indicates interest in both espionage and operational impact. Organizations face dual threats: technical malware infections and social engineering through poisoned search results. Defense Recommendations Security teams should implement robust email filtering, endpoint detection systems tuned for AI-generated malware variants, and user awareness training on search result verification. Organizations should also monitor for indicators of compromise associated with Nimbus Manticore campaigns and consider threat intelligence sharing with industry peers. Check Point Research continues monitoring the threat actor's infrastructure and tactics as operations develop.

■ SOURCES

Techmeme

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

Europe's digital identity wallet age verification system will only work on iOS and Android devices, excluding alternative mobile platforms. The technical specification has drawn criticism from privacy advocates and open-source developers.

4H AGOIndustry Desk

The Trump administration has established the Gold Eagle federal clearinghouse to enable real-time sharing of AI-related cyber threat intelligence between government agencies and private sector companies. The White House says the system is already receiving vulnerability reports and coordinating patch prioritization.

5H AGOAI Desk

Spanish authorities dismantled a major cybercrime organization responsible for €140 million in fraudulent earnings, resulting in four arrests. The ring operated investment scams and business email compromise attacks.

6H AGOSecurity Desk

SonicWall has released security updates to address two actively exploited vulnerabilities in its SMA1000 appliance. The company urges customers to patch immediately.

6H AGOSecurity Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.