Iran-linked hackers used SEO poisoning to spread fake SQL Developer installer

Iran-linked threat group Nimbus Manticore used SEO poisoning to push a fake SQL Developer download site that delivered a new Windows backdoor called MiniFast. The campaign marked a shift from the group’s usual phishing lures because it targeted users through search results instead of direct email contact.

According to Check Point Research, Nimbus Manticore resurfaced during Operation Epic Fury, the U.S. military campaign against Iran that began on February 28, 2026. The group ran three waves of activity between February and April, including one campaign that impersonated Oracle SQL Developer.

Oracle describes SQL Developer as a free integrated development environment for developing and managing Oracle Database deployments. That made it a useful lure for attackers targeting developers, database users, software professionals, and enterprise IT teams.

The fake site targeted people already looking for SQL Developer

The April campaign used a fake domain, getsqldeveloper[.]com, that copied the appearance of a normal software download page. Users who clicked the fake download received a weaponized installer instead of Oracle’s legitimate tool.

The attackers also registered dozens of related domains that linked back to the fake page. This link network helped push the malicious site higher in search results for terms connected to SQL Developer downloads.

At the time Check Point analyzed the operation, the fake site appeared near the top of Bing and DuckDuckGo results for “sql developer.” The campaign shows how SEO poisoning can put malware in front of users who believe they are taking a normal software download path.

Campaign detail	Information
Threat group	Nimbus Manticore, also tracked as UNC1549
Reported affiliation	Iranian and IRGC-affiliated
Delivery method	SEO poisoning and fake software download page
Fake domain	getsqldeveloper[.]com
Main payload	MiniFast backdoor
Target theme	Oracle SQL Developer download

Nimbus Manticore changed its delivery method

Nimbus Manticore has a history of targeting aviation, aerospace, defense, telecommunications, and software-linked organizations. A Mandiant analysis of UNC1549 previously described the group’s custom malware, targeted lures, and focus on aerospace and defense environments.

Check Point’s latest report says the group still used career-themed lures in other waves, including fake job opportunities and a Trojanized Zoom installer. The SQL Developer campaign added a new route by placing a malicious site where users might find it through a normal search.

This matters because SEO poisoning reduces the attacker’s need to send a convincing email. The victim may arrive at the malicious site on their own after searching for a trusted tool, which can make the download feel safer.

MiniFast used AppDomain hijacking for stealth

The fake SQL Developer installer used AppDomain hijacking, a .NET execution technique that lets malware load inside the flow of a trusted application. MITRE ATT&CK tracks this behavior as AppDomainManager under the broader Hijack Execution Flow technique.

In this attack, the malware abused how .NET applications load configuration files and assemblies. That allowed the malicious DLL to execute in the context of a legitimate process, helping it blend into normal application activity.

The final payload, MiniFast, is a 64-bit Windows DLL built for remote access. Check Point said it can run shell commands, list and manage files, enumerate processes, upload data, and attempt privilege escalation.

• MiniFast communicates through structured HTTP endpoints.
• It uses a hardcoded Chrome-like User-Agent string to blend into browser traffic.
• It can execute shell commands on the infected system.
• It can manage files and list running processes.
• It can attempt privilege escalation after initial compromise.

Researchers saw signs of AI-assisted malware development

Check Point said MiniFast appears to include signs of AI-assisted development. Researchers pointed to verbose function names, excessive error handling, detailed debug messages, and repetitive coding patterns as possible indicators.

That does not mean the malware ran inside an AI system. It means the developers may have used large language models to accelerate coding, debugging, and tool updates while operating under wartime pressure.

The finding matters because faster malware development can shorten the time between campaign changes. A group can test new lures, update payloads, and rebuild infrastructure more quickly when automation helps with repetitive coding work.

Observed behavior	Defensive meaning
SEO poisoning	Monitor software downloads from search results and block lookalike domains
Fake SQL Developer page	Train users to use vendor download pages and bookmarks
AppDomain hijacking	Watch unusual .NET config files and DLL load behavior
MiniFast HTTP traffic	Inspect unusual browser-like outbound requests from non-browser processes
Scheduled task changes	Alert on unexpected persistence attempts after installer execution

Official download habits matter more after this campaign

Users should download SQL Developer only from Oracle-controlled pages. The official SQL Developer downloads page lists current builds, platform-specific packages, file names, and SHA256 hashes that users can compare before running downloaded files.

Organizations should also reduce reliance on search results for common software downloads. IT teams can publish approved internal software catalogs, browser bookmarks, and endpoint allowlists for tools such as Oracle SQL Developer.

For enterprise defenders, the safer approach is to assume developers and administrators will remain attractive targets. Database tools, VPN clients, meeting apps, and remote access software all make strong lures because users expect to install them.

What security teams should check now

Security teams should hunt for the fake domain, the reported infrastructure, and suspicious activity after SQL Developer downloads. The presence of getsqldeveloper[.]com in browser, proxy, DNS, or EDR logs should trigger an investigation.

Endpoint teams should also review unexpected scheduled task changes and unusual DLL loading around installer execution. MITRE’s AppDomainManager technique page gives defenders useful context for how AppDomain hijacking can support stealthy execution.

The campaign also overlaps with earlier UNC1549 activity. The Google Cloud Mandiant report remains useful for teams tracking the group’s broader targeting, malware families, and operational patterns.

• Search DNS, proxy, and browser logs for getsqldeveloper[.]com.
• Block related suspicious Azure Websites and lookalike business domains.
• Check recent SQL Developer installers against known good hashes.
• Review suspicious .config files placed beside .NET executables.
• Alert on non-browser processes using Chrome-like User-Agent strings.
• Investigate new scheduled tasks created near suspicious installer activity.

SEO poisoning is becoming a stronger software supply risk

The campaign shows why software distribution trust cannot depend only on search ranking. A fake page can look useful, rank well, and still deliver malware that reaches developer workstations or administrator systems.

Check Point said this was the first time it saw Nimbus Manticore using SEO poisoning as a malware delivery method. The Check Point Research report also tied the campaign to rapid infrastructure changes and AI-assisted development patterns.

The safest fix starts with software hygiene. Users should avoid third-party download pages, administrators should enforce approved download sources, and security teams should compare downloaded files against values on the official Oracle download page before allowing execution.

For Nimbus Manticore, the move into search-based malware delivery gives the group a wider path to potential victims. For defenders, it adds one more place to monitor: the moment a trusted software search turns into an attacker-controlled download.

FAQ