Iranian APT Uses SEO Poisoning to Deliver Fake SQL Developer Malware Installer

A well-known Iranian threat group has found a new way to push malware onto people’s machines. Instead of sending phishing emails, the group built a fake website that impersonated a real database software download page and used search engine tricks to rank it near the top of results.

Anyone who searched for the tool online and clicked the wrong link walked away with a backdoor quietly installed on their system.

The group behind this activity is Nimbus Manticore, also tracked as UNC1549, and it operates under Iran’s Islamic Revolutionary Guard Corps (IRGC).

The group has a long history of targeting software and aviation professionals through career-themed phishing lures. What makes this latest wave different is the use of search engine manipulation as a delivery mechanism, something researchers had not observed from this group before.

Check Point Research analysts identified this activity across three waves between February and April 2026, coinciding with and following the US military campaign against Iran known as Operation Epic Fury.

According to Check Point said in a report shared with Cyber Security News (CSN), the group showed a strong ability to rapidly adapt tools and maintain infrastructure even under active wartime conditions.

The newest wave, which researchers call the “SQL Developer” campaign, unfolded in April 2026. The attackers registered a fake domain called getsqldeveloper[.]com that mimicked a legitimate download page for Oracle’s SQL Developer, a widely used database management tool.

Users who visited the site and attempted a download received a weaponized installer that silently deployed a newly discovered backdoor called MiniFast.

The operation was built on more than just one fake site. The attackers registered dozens of domains that all pointed back to the main fake page, boosting its ranking through link-based signals.

The site also crammed in repeated phrases like “Download SQL Developer” to climb search results. At the time of analysis, the bogus domain appeared near the top of Bing and DuckDuckGo results for the search term “sql developer.”

Iranian APT Uses SEO Poisoning

The shift to SEO poisoning marks a real change in how Nimbus Manticore runs its operations. Their past campaigns nearly always relied on tailored phishing emails with fake job offers aimed at employees in aviation and software companies.

This time, instead of approaching targets directly, the group placed itself in the path of users who were already looking for a trusted piece of software.

The fake site was crafted to look like a real download page. Once a user ran the installer, the infection started quietly in the background using a technique called AppDomain hijacking, which abuses how the .NET runtime loads application configuration files.

This allowed the malicious DLL to execute inside the context of a legitimate, trusted process without raising immediate suspicion.

MiniFast Backdoor and AI-Assisted Development

MiniFast is a 64-bit Windows DLL that functions as a full-featured backdoor built for long-term remote access.

It communicates with attacker servers using structured HTTP endpoints and disguises its traffic by impersonating a Chrome browser through a hardcoded User-Agent string.

Operators can use it to run shell commands, manage files, list running processes, upload data, and even attempt privilege escalation.

Check Point researchers also found clear signs that the malware was developed with help from AI tools. The code includes excessive error handling, verbose function names, and detailed debug messages that are common patterns in AI-generated code.

The group appears to be using large language models to speed up development and push out updated tools faster under wartime operational pressure.

Security teams are strongly advised to monitor for unexpected scheduled task changes and unusual DLL loading behavior, as these are central to the group’s attack method.

Users and organizations should always download software directly from official vendor sites rather than relying on search engine results, since SEO poisoning can push fake pages ahead of genuine ones with little warning.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.