Lead Story | Critical — Active Campaign | Enterprise · IT Ops |
|
IRGC-Linked Nimbus Manticore Brings AI-Assisted MiniFast Backdoor to Aviation and Defence Networks — and Canada Is in Scope
Check Point Research confirmed IRGC-affiliated Nimbus Manticore deployed MiniFast — a backdoor whose code shows indicators of AI-assisted development — against aviation, defence, and telecommunications organizations following the February 2026 US-Israeli campaign against Iran; the group’s sector targeting puts Canadian prime contractors and Crown corporations in scope through shared supply chain exposure.
Check Point Research linked Nimbus Manticore (also tracked as UNC1549) to a campaign that escalated after Operation Epic Fury, the US-Israeli military operation against Iran launched February 28, 2026. Delivered via weaponized Zoom installers and SEO-manipulated download sites, MiniFast hijacks a Zoom scheduled update task for persistence and communicates over HTTP disguised as Chrome traffic, exfiltrating files and executing remote commands. Check Point Research →
Check Point Research found MiniFast’s codebase consistent with AI tooling: error-handling reads as defensive over-engineering, variable names are expressive rather than obfuscated, and module boundaries are unusually clean for threat-actor malware. Nimbus Manticore has targeted aviation, defence, and telecommunications organizations across the US, Europe, and the Middle East — sectors where Canadian prime contractors share supply chain ties with confirmed targets; Canada’s Five Eyes alignment places domestic operators in scope. The Hacker News →
→ Key Takeaway Check Point Research confirmed Nimbus Manticore (UNC1549) is running an active post-Operation Epic Fury campaign, delivering AI-assisted malware through weaponized installers and SEO-manipulated download sites against aviation, defence, and telecommunications targets. Canadian operators in these sectors share supply chain relationships with confirmed targets across the US and Europe. Action: Ask your security team whether your organization sources any third-party software from public download pages rather than IT-approved catalogues, and confirm that application allow-listing or application control policies block unsigned executables from running on corporate endpoints — including remote work devices. |
Quick Hits
| 01 |
Ottawa Man Arrested for Running KimWolf — 23-Year-Old Charged With Operating DDoS-for-Hire Botnet That Infected Over One Million Devices and Launched Nearly 30 Tbps Attacks
Ontario Provincial Police arrested Jacob Butler, 23, of Ottawa on May 21, 2026; he faces charges in both Canada and the United States for building and administering KimWolf, a DDoS-for-hire service that conscripted over one million IoT devices and generated attacks measuring nearly 30 Tbps, issuing over 25,000 attack commands. An international operation on March 19, 2026 involving US, German, and Canadian authorities dismantled KimWolf’s command-and-control infrastructure alongside three related botnets — Aisuru, JackSkid, and Mossad — which together infected millions of devices worldwide. Canadian organizations operating IoT fleets should audit device firmware for signs of botnet compromise, as takedown of C2 infrastructure does not guarantee enrolled devices have been cleaned. Krebs on Security → DOJ Press Release →
| High — Law Enforcement Action · IoT Botnet Disruption | IT Ops · Enterprise |
|
CVE Watch
|
CVE Watch
CVE-2026-45659 (Microsoft SharePoint): Authenticated RCE via Deserialization Patched May 26 — Apply Updates Before a PoC Surfaces
Microsoft patched CVE-2026-45659 on May 26, 2026 — a deserialization of untrusted data vulnerability in SharePoint Server that allows any authenticated user with Site Member permissions to execute arbitrary code remotely on the server. The flaw carries a CVSS score of 8.8 with low attack complexity, meaning a path from phished or stolen credentials to RCE on a SharePoint host requires a single step with no administrator privileges needed. SharePoint Server 2016, 2019, and Subscription Edition are all affected; no active exploitation has been confirmed as of the patch release date, but SharePoint vulnerabilities in this class have historically attracted rapid proof-of-concept development after patches ship. Apply the May 26, 2026 Cumulative Updates for your SharePoint version and ask your team to confirm deployment — Canadian government departments and enterprises using on-premises SharePoint should treat this as a priority patch cycle. Microsoft MSRC → Help Net Security →
| Vendor: Microsoft SharePoint · CVE: CVE-2026-45659 · CVSS: 8.8 (High) · Attack Vector: Network · Affected: SharePoint SE, SharePoint Server 2019, SharePoint Enterprise Server 2016 · Fix: May 26, 2026 Cumulative Updates · Status: No confirmed in-wild exploitation as of May 26, 2026; credible imminent risk given patch release and SharePoint exploitation history |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.PS-05 — Protect: Platform Security
Trojanized Installers Are a PR.PS-05 Gap: Block Unauthorized Software Before It Reaches the Endpoint
NIST CSF 2.0 PR.PS-05 requires that “installation and execution of unauthorized software are prevented” — the Nimbus Manticore MiniFast campaign succeeds precisely where this control is absent, delivering malware through a weaponized Zoom installer and SEO-manipulated lookalike download sites that bypass organizations without application allow-listing or verified software distribution controls. When an employee can download and execute an unverified installer, the attacker’s delivery problem is already solved. Action: Confirm application allow-listing or application control policy is enforced on all corporate endpoints, including remote work devices; block execution of unsigned executables from user-writable directories; and require all software installations to route through IT-approved channels rather than public download pages. NIST CSF 2.0 reference: csf.tools/pr-ps-05 →
|
On Our Radar
UEFI Secure Boot KEK certificate expiry — June 24, 2026 (28 days): Microsoft’s Corporation KEK CA 2011 expires June 24; the UEFI CA 2011 follows June 27; the Windows Production PCA 2011 expires October 2026. Organizations with dual-boot Linux configurations or air-gapped systems not receiving automatic firmware updates should confirm remediation plans now. Tracking since Issue #039. Microsoft Support →
|
