Check Point Research's May 22 report, Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict, documents an IRGC-affiliated threat actor — tracked as Nimbus Manticore, overlapping with UNC1549 and Smoke Sandstorm — using what analysts describe as AI-assisted malware development to build and adapt tooling at operational speed. The group resurfaced during Operation Epic Fury, the US military campaign against Iran launched February 28, 2026, and pushed a previously undocumented backdoor named MiniFast into live operations while the conflict was still active.
The finding matters because it moves AI-generated malware out of the proof-of-concept column and into a nation-state campaign running in real time. It follows Check Point's January analysis of VoidLink, which it called the first documented case of deployment-ready, AI-generated malware. MiniFast is cruder, but it was shipped under wartime tempo against real targets.
The LLM fingerprints
Check Point does not attribute the code to a specific model, but lists four patterns it reads as indicators of machine-generated code: "excessive error handling and defensive programming logic, even around simple API calls"; "repetitive function and method naming patterns containing descriptive or verbose identifiers"; "multiple detailed error-reporting strings and debug-style status messages"; and "modular code organization despite the malware's overall simplicity." Individually, none is conclusive. Together, the report argues, they fit the signature of an operator using an LLM or automated coding assistant to compress development cycles — the same productivity story enterprises sell, turned to offense.
A new backdoor, a quieter delivery chain
MiniFast is a 64-bit Windows PE DLL exposing a single export, CheckForUpdates, as its main entry point. Its command-and-control uses JSON-formatted handshakes with Base64-encoded serialized task structures, opcode-based command handling, and supports file management, process enumeration, DLL loading, and persistence via scheduled tasks.
Delivery is where the campaign got more interesting. Alongside the group's familiar fake-job lures, Check Point observed SEO poisoning for the first time: a spoofed getsqldeveloper[.]com site engineered with keyword stuffing and a network of linking domains to rank for "sql developer" searches and serve trojanized installers to engineers hunting for database tooling. Execution then relies on AppDomain hijacking — planting Trojanized XML .config files next to legitimate apps so a malicious AppDomainManager class loads attacker DLLs at runtime.
What changes for defenders
For security teams, the takeaway is cadence. AI assistance lets a mid-tier actor iterate tooling faster than signature-based defenses refresh, and SEO-poisoned developer-tool downloads put the initial-access risk squarely on engineering workstations. Treat unsigned database and dev-tool installers as a supply-chain surface, monitor for anomalous AppDomainManager config entries, and assume the gap between a published technique and its weaponized variant keeps shrinking as code generation gets cheaper.
