A state-linked hacking group has been caught running a carefully crafted fake recruitment operation to push custom malware onto unsuspecting victims.
The group, known as Nimbus Manticore and also tracked as UNC1549 and Smoke Sandstorm, has a long history of targeting professionals in the aerospace and defense sectors across the Middle East and Europe.
Their latest campaign shows a notable step up in technical sophistication, blending social engineering with a multi-stage malware delivery chain that is hard to detect.
The attackers started by reaching out to employees on LinkedIn through a fake but convincing recruiter profile. The persona claimed to be headhunting talent for Ebix, a real company in the insurance and banking technology space, and dangled a salary offer of $200,000 to make the pitch more appealing.
Victims were then directed to a polished fake hiring portal at ebix[.]recruitment-flow[.]com, which required login credentials before any malicious content was served.
Analysts at Nextron identified this sophisticated sideloading infection chain during a recent incident response engagement, attributing the activity to Nimbus Manticore with confidence.
Nextron said in a report shared with Cyber Security News (CSN) that the group’s core tradecraft stays remarkably consistent across campaigns, even as individual tools and payloads shift between operations.
The report details how the operators have evolved their techniques while keeping the same underlying patterns in place.
Once logged into the fake portal, victims were prompted to download what appeared to be a two-factor authentication app for added security during the hiring process.
That app arrived as a ZIP archive carrying the actual malware. The entire flow was designed to look routine, lowering the victim’s guard at every step before the payload had a chance to execute.
Nimbus Manticore APT Abuses Fake Recruitment Portal
The ZIP archive contained a renamed Microsoft Visual Studio component called setup.exe, which is legitimately signed by Microsoft.
The attackers modified its configuration file to trick the .NET runtime into loading a malicious library named TOTPGuard.dll instead of following normal execution.
This technique, known as AppDomain hijacking, meant the initial process appeared clean and was unlikely to trigger standard security alerts.
After the victim ran setup.exe, they were shown a convincing fake Ebix interface asking for a secret key and then displayed a working one-time password generator.
The app behaved like a real tool throughout the process, making it far harder for victims to suspect anything was wrong.
Behind the scenes, the malware decrypted an embedded payload using hardcoded AES keys and dropped it to disk at a path inside the user’s AppData folder.
Persistence, C2, and Evasion Tactics
The malware then created a scheduled task named “BackupCheck” to run at every login, ensuring it stayed active on the infected machine.
The main payload, stored as main.dll, communicated with command-and-control servers hosted on Microsoft Azure, a trusted cloud platform that blends into normal network traffic for many organizations.
The C2 domains used benign-sounding names that matched the hiring campaign theme, making them easy to overlook during a quick review.
The native implant also ran anti-analysis checks, including verifying its own process name and checking for active debuggers by inspecting the Process Environment Block.
The operators appeared to significantly increase the level of code obfuscation compared to earlier campaigns, likely in response to prior public reporting from other security vendors.
Despite these added layers, the core functionality, including data exfiltration and C2 communication, remained consistent with previously documented Nimbus Manticore behavior.
Defenders can take several concrete steps to reduce exposure to this type of attack. Organizations should block or restrict access to freshly registered domains, particularly in sensitive departments like HR, finance, and legal.
Using Windows AppLocker to prevent execution from user-writable directories such as AppData and Temp can significantly reduce the chance of staged payloads running.
Security awareness training should also expand beyond email-based phishing to include social media platforms and job portal-based social engineering, where this group has proven especially active.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 06d12a4c4e3cc725dba37445cebeba41803718ccdb63d9d637355a241f651668 | Fake Airbus Job Description PDF |
| SHA-256 | 9b63b744dc1f3a24f057a404c5622ed0ca933752a00ce05117727c7d11f05536 | Fake Airbus Job Description PDF |
| SHA-256 | 620c51f4376cb79f0109c21971c28661418ae50b119585e3ffdb8011189fcb7b | Fake Ebix Job Description PDF |
| SHA-256 | d1f525eb9347133b92e9558e1413558c8348c0f35a62577f60a5192ba38eb776 | TOTPGuard.zip |
| SHA-256 | 8e5fc0998838559ca8611e6c03fd998a17ffc2eade24715b2fc3e723c712eb8b | setup.exe.config |
| SHA-256 | eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71 | TOTPGuard.dll (Stager) |
| SHA-256 | dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee | main.dll (Native Implant) |
| SHA-256 | 3628d13d2f8af7663d58dd1aa352c8f12d12233a7318ee203f01f195573a2ed2 | EbixExam.Desktop.zip |
| SHA-256 | c7ef2ec19d158301773b1590f5b5eeb362a30f725acad8f5b3a230e9f26d14be | EbixExam.Updater.dll |
| SHA-256 | 072744ce205bb89a36e563a86f30df5689e64eee75106b97ce708551c8194bbc | EbixExam.Updater.ServiceHub.dll |
| Domain | globalitconsultants[.]azurewebsites[.]net | C2 domain associated with main.dll |
| Domain | globalbusiness-checkers-it[.]azurewebsites[.]net | C2 domain associated with main.dll |
| Domain | global-check-business-it[.]azurewebsites[.]net | C2 domain associated with main.dll |
| Domain | global-check-itbusiness[.]azurewebsites[.]net | C2 domain associated with main.dll |
| Domain | global-it-checkbusiness[.]azurewebsites[.]net | C2 domain associated with main.dll |
| Domain | global-it-consultants[.]azurewebsites[.]net | C2 domain associated with main.dll |
| Domain | globalit-consultants[.]azurewebsites[.]net | C2 domain associated with main.dll |
| Domain | global-it-checkers[.]azurewebsites[.]net | C2 domain associated with main.dll |
| Domain | business-dns-ns-joiners[.]azurewebsites[.]net | C2 domain associated with EbixExam.Updater.ServiceHub.dll |
| Domain | ebix-exam-join-from-app[.]azurewebsites[.]net | C2 domain associated with EbixExam.Updater.ServiceHub.dll |
| Domain | business-joiners-exam[.]azurewebsiets[.]net | C2 domain associated with EbixExam.Updater.ServiceHub.dll |
| Domain | join-exam-now-ebix[.]azurewebsites[.]net | C2 domain associated with EbixExam.Updater.ServiceHub.dll |
| Domain | ebix[.]recruitment-flow[.]com | Fake Ebix hiring portal used for initial lure |
| File Path | \AppData\Roaming\2FAGuard\main.dll | Dropped payload path on disk |
| File Path | \AppData\Roaming\2FAGuard\setup.exe.config | Dropped stager config path |
| File Path | \AppData\Local\VirtualStore\result.con | File artifact associated with main.dll |
| File Path | \CKAConsent.dll | File artifact associated with main.dll |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
