:

IRAN-LINKED GROUP USES AI MALWARE IN CYBER ATTACKS

AI DESK2 MIN READ
MON, MAY 25, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

Iranian threat actor Nimbus Manticore has resurfaced using AI-assisted malware development and SEO poisoning techniques to target companies, according to Check Point Research. The IRGC-affiliated group escalated operations during recent US-Iran tensions.

Check Point Research identified Nimbus Manticore, an Iranian threat actor with ties to the Islamic Revolutionary Guard Corps (IRGC), employing advanced techniques in recent cyber campaigns. The group leveraged artificial intelligence to develop malware and deployed SEO poisoning strategies to compromise target organizations. Attack Methods The threat actor combined multiple techniques to maximize impact. AI-assisted malware development allowed attackers to create variants faster and potentially evade traditional detection methods. Simultaneously, SEO poisoning—manipulating search results to direct users to malicious sites—served as an initial infection vector, exploiting legitimate search traffic. Operational Context Nimbus Manticore's resurgence coincided with Operation Epic Fury, reflecting heightened cyber activity during escalating US-Iran tensions. The timing suggests coordinated campaigns aligned with geopolitical developments. Implications The integration of AI tools into malware development marks an evolution in Iranian cyber capabilities. Rather than relying solely on manual coding, threat actors can now automate and accelerate payload creation, making detection and attribution more difficult. SEO poisoning extends the attack surface beyond traditional enterprise defenses, targeting users before they reach corporate networks. The group's targeting of companies indicates interest in both espionage and operational impact. Organizations face dual threats: technical malware infections and social engineering through poisoned search results. Defense Recommendations Security teams should implement robust email filtering, endpoint detection systems tuned for AI-generated malware variants, and user awareness training on search result verification. Organizations should also monitor for indicators of compromise associated with Nimbus Manticore campaigns and consider threat intelligence sharing with industry peers. Check Point Research continues monitoring the threat actor's infrastructure and tactics as operations develop.

■ SOURCES

Techmeme

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

4H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

4H AGOSecurity Desk

Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.

7H AGOAI Desk

A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.

9H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.