Posted in

Fake Recruitment Portal Used by Nimbus Manticore to Deploy Malware

by Rakesh0

A sophisticated campaign by the Nimbus Manticore APT is exploiting job seekers through fake recruitment portals, delivering malware under the guise of legitimate hiring processes. The group, also tracked as UNC1549 and Smoke Sandstorm, has a well-documented history of targeting the aerospace and defense sectors across the Middle East and Europe.

In its latest operation, the threat actor combines social engineering, DLL sideloading, and staged malware delivery to compromise victims—highlighting an evolution in both technical execution and deception tactics.

Key Details

The attack begins on LinkedIn, where victims are approached by a convincing recruiter persona claiming to represent Ebix, a legitimate enterprise software company. The lure is strengthened with a high-value offer—reportedly around $200,000 salary—designed to increase engagement.

Interested targets are redirected to a professionally designed phishing domain:

  • ebix[.]recruitment-flow[.]com

The portal requires user authentication before presenting any download, adding legitimacy and reducing suspicion.

Following login, victims are prompted to install what appears to be a two-factor authentication (2FA) application, supposedly required for secure hiring processes. This download is packaged as a ZIP archive—which ultimately contains the malware payload.

Security analysts at Nextron uncovered the campaign during incident response investigations and confirmed attribution to Nimbus Manticore based on consistent operational patterns.

Technical Analysis

DLL Sideloading via AppDomain Hijacking

The ZIP archive contains a renamed executable (setup.exe) that is:

  • Digitally signed by Microsoft
  • Masquerading as a legitimate Visual Studio component

The attackers modify its .config file to exploit AppDomain hijacking, forcing the .NET runtime to load a malicious DLL:

  • TOTPGuard.dll (stager)

This technique allows the malware to execute under the context of a trusted application, bypassing many traditional security controls.

Deceptive Execution Flow

Once executed:

  • A realistic fake Ebix interface is displayed
  • Users are prompted to enter a “secret key”
  • A functional OTP generator is shown

This interactive deception reinforces trust while the malware silently executes in the background.

Payload Deployment and Persistence

Behind the scenes, the malware:

  1. Decrypts the main payload using hardcoded AES keys
  2. Drops main.dll into:
    • \AppData\Roaming\2FAGuard\
  3. Establishes persistence via a scheduled task:
    • BackupCheck (runs at every login)

Command-and-Control (C2) Infrastructure

The implant communicates with attacker infrastructure hosted on Microsoft Azure, leveraging:

  • Trusted cloud domains
  • Benign naming conventions aligned with the recruitment theme

Examples include:

  • globalitconsultants[.]azurewebsites[.]net
  • join-exam-now-ebix[.]azurewebsites[.]net

This makes malicious traffic blend into standard enterprise activity.

Evasion Techniques

The malware includes multiple anti-analysis features:

  • Process name verification
  • Debugger detection via Process Environment Block (PEB)
  • Increased code obfuscation compared to previous campaigns

Despite these enhancements, its core behavior—data exfiltration and remote control—remains consistent with earlier Nimbus Manticore toolsets.

Impact and Risks

This campaign is particularly dangerous due to its targeted approach and realistic delivery mechanism.

Affected Targets

  • Aerospace and defense professionals
  • Engineers and developers
  • Enterprises with access to sensitive intellectual property

Potential Impact

  • Credential theft and espionage
  • Long-term persistence in enterprise systems
  • Data exfiltration from high-value environments
  • Supply chain compromise

Because the malware uses trusted binaries and cloud infrastructure, it can evade detection even in well-defended networks.

Expert Recommendations

Organizations should implement layered defense strategies to mitigate risk:

1. Restrict Execution Paths

  • Use AppLocker or WDAC to block execution in:
    • %AppData%
    • %Temp%

2. Monitor Social Engineering Vectors

  • Expand awareness training beyond email phishing
  • Educate employees on LinkedIn and job portal scams

3. Block Suspicious Domains

  • Restrict access to newly registered or low-reputation domains
  • Monitor Azure-hosted domains with unusual naming patterns

4. Detect Sideloading Behavior

  • Monitor unexpected DLL loads by signed executables
  • Track .config file modifications in application directories

5. Strengthen Endpoint Detection

  • Deploy EDR solutions to detect:
    • Scheduled task creation
    • Persistence mechanisms
    • Suspicious file drops in user directories

6. Conduct Threat Hunting

  • Look for IoCs including:
    • TOTPGuard.dll and main.dll
    • Scheduled task “BackupCheck”
    • Known Azure C2 domains

Industry Context

This campaign reflects a broader shift toward highly targeted social engineering attacks combined with stealthy malware delivery.

APT groups, particularly those linked to nation-state interests, are increasingly:

  • Exploiting professional networking platforms
  • Leveraging trusted cloud services
  • Using legitimate binaries for execution (LOLbins)

Nimbus Manticore’s consistent tradecraft across campaigns suggests a well-resourced operation focused on long-term espionage rather than short-term gains.

The use of job recruitment as an attack vector echoes similar campaigns by Lazarus Group and Iranian-linked actors, signaling a growing trend in human-centric attack surfaces.

Conclusion

The latest Nimbus Manticore campaign demonstrates how modern threat actors blend psychological manipulation with technical sophistication to compromise high-value targets.

By abusing trusted platforms, signed binaries, and cloud infrastructure, this group continues to evade traditional defenses while maintaining consistent operational patterns.

Organizations must adapt by strengthening both technical controls and human awareness to defend against these evolving threats.

FAQ SECTION

Who is Nimbus Manticore?

Nimbus Manticore is a state-linked threat group, also known as UNC1549 and Smoke Sandstorm, targeting aerospace and defense sectors.

How does the fake recruitment attack work?

Victims are lured via LinkedIn to a fake hiring portal, where they download a malicious 2FA app that installs malware.

What technique is used to execute the malware?

The attack uses DLL sideloading and AppDomain hijacking to execute malicious code via a trusted application.

Why is this attack hard to detect?

It uses signed binaries, realistic interfaces, cloud infrastructure, and strong obfuscation to evade detection.

How can organizations prevent such attacks?

Use application whitelisting, monitor unusual DLL loads, restrict user directory execution, and train employees on social engineering threats.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *