From 7d18bdf4cf0e8f9c82ed2a13db9c597a7426bbf7 Mon Sep 17 00:00:00 2001
From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com>
Date: Mon, 1 Jun 2026 12:08:05 +0200
Subject: [PATCH 1/7] Create apt_apt35_malware_may26.yar

---
 yara/apt_apt35_malware_may26.yar | 83 ++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 yara/apt_apt35_malware_may26.yar

diff --git a/yara/apt_apt35_malware_may26.yar b/yara/apt_apt35_malware_may26.yar
new file mode 100644
index 00000000..ef68c1a1
--- /dev/null
+++ b/yara/apt_apt35_malware_may26.yar
@@ -0,0 +1,83 @@
+rule SUSP_ScheduledTasks_Nimbus_Manticore_Persistence_May26 {
+   meta:
+      description = "Detects scheduled task used for persistence by Nimbus Manticore (UNC1549). The task is used to persistenly load a custom implant that features data exfiltration and remote control capabilities."
+      author = "Jonathan Peters (cod3nym)"
+      date = "2026-05-27"
+      reference = "Internal Research"
+      score = 75
+   strings:
+	  $a0 = "<Task version=" wide
+      $a1 = "xmlns=\"http://schemas.microsoft.com/windows/" wide
+      $s1 = "BackupCheck" wide
+      $s2 = "<Arguments>doit" wide
+   condition:
+      uint16(0) == 0xfeff
+      and all of them
+}
+
+rule MAL_APT_Nimbus_Manticore_Stager_May26 {
+   meta:
+      description = "Detects .NET based stager using AppDomain Hijacking observed to be used by Nimbus Manticore (UNC1549). The stager drops another payload and establishes persistence via scheduled task."
+      author = "Jonathan Peters (cod3nym)"
+      date = "2026-05-20"
+      reference = "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/"
+      hash = "eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71"
+      score = 80
+   strings:
+      $x1 = "MyCompany-Product-TOTP-Salt-2024!@#$" wide fullword
+      $x2 = "TOTPGuardRunner" ascii fullword
+      $x3 = "\\AppDomainInjection-metlifeScenario\\TOTP" ascii
+
+      $sa1 = "EncData" ascii fullword
+      $sa2 = "DecryptAndSaveToDesktop" ascii fullword
+      $sa3 = "CopyHelloToDesktop" ascii fullword
+
+      $sb1 = "doit" wide fullword
+      $sb2 = "DailyTrigger" wide fullword
+      $sb3 = "GetTypeFromCLSID" ascii
+      $sb4 = "yyyy-MM-ddTHH:mm:ss" wide fullword
+   condition:
+      uint16(0) == 0x5a4d
+      and
+      (
+         1 of ($x*)
+         or all of ($sa*)
+         or all of ($sb*)
+      )
+}
+
+rule MAL_APT_Nimbus_Manticore_Agent_May26 {
+   meta:
+      description = "Detects Nimbus Manticore (UNC1549) agent implant featuring data exfiltration and remote control."
+      author = "Jonathan Peters (cod3nym)"
+      date = "2026-05-28"
+      reference = "Internal Research"
+      hash = "dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee"
+      score = 80
+   strings:
+      $a1 = "Chrome/146.0.0.0 Safari/537.36" wide
+      $a2 = ".azurewebsites.net" wide
+
+      $s1 = "/agent/poll?token=" wide fullword
+      $s2 = "/agent/init" wide fullword
+      $s3 = "/agent/result" wide fullword
+   condition:
+      uint16(0) == 0x5a4d
+      and 1 of ($a*) 
+      and 1 of ($s*)
+      or 3 of them
+}
+
+rule SUSP_Nimbus_Manticore_PDF_Indicators_May26 {
+   meta:
+      description = "Detects inidcators found in PDF files created by Nimbus Manticore (UNC1549). The PDF files usually contain fake job offers or descriptions to lure victims into installing malware."
+      author = "Jonathan Peters (cod3nym)"
+      date = "2026-05-25"
+      reference = "Internal Research"
+      hash = "620c51f4376cb79f0109c21971c28661418ae50b119585e3ffdb8011189fcb7b"
+      score = 70
+   strings:
+      $op = { 3C 3C 2F 41 75 74 68 6F 72 28 4A 65 72 72 79 29 20 2F 43 72 65 61 74 6F 72 28 FE FF 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 AE 00 20 00 57 00 6F 00 72 00 64 00 20 00 4C 00 54 00 53 00 43 29 }
+   condition:
+      1 of them
+}

From c90350767648fce141747512d91e5e2f1d45860e Mon Sep 17 00:00:00 2001
From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com>
Date: Mon, 1 Jun 2026 12:09:21 +0200
Subject: [PATCH 2/7] Create susp_generic_rules_may26.yar

---
 yara/susp_generic_rules_may26.yar | 36 +++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 yara/susp_generic_rules_may26.yar

diff --git a/yara/susp_generic_rules_may26.yar b/yara/susp_generic_rules_may26.yar
new file mode 100644
index 00000000..20453975
--- /dev/null
+++ b/yara/susp_generic_rules_may26.yar
@@ -0,0 +1,36 @@
+rule SUSP_AppDomainInjection_Keyword_May26 {
+   meta:
+      description = "Detects link files, archives and binaries that contain keywords related to AppDomain hijacking/injection a technique used by malware to sideload payloads."
+      author = "Jonathan Peters (cod3nym)"
+      date = "2026-05-27"
+      reference = "https://attack.mitre.org/techniques/T1574/014/"
+      hash = "eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71"
+      score = 70
+   strings:
+      $x1 = "AppDomainInjection" ascii wide fullword
+      $x2 = "AppDomainHijack" ascii wide fullword
+   condition:
+      (
+         uint16(0) == 0x5a4d // PE
+         or uint16(0) == 0x4b50 // ZIP
+         or uint32(0x8000) == 0x30444301 // ISO
+         or uint16(0) == 0x004c and uint32(4) == 0x00021401 // LNK
+      )
+      and 1 of ($x*)
+}
+
+rule SUSP_PE_Contains_Encrypted_Executable_May26 {
+   meta:
+      description = "Detects executables containing an encrypted embedded payload using parameters commonly observed in malware, suggesting obfuscation or staged execution."
+      author = "Jonathan Peters (cod3nym)"
+      date = "2026-05-20"
+      reference = "Internal Research"
+      hash = "eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71"
+      score = 70
+   strings:
+      // MZ header AES encrypted with key: 1234567890123456 and IV: abcdefghijklmnop
+      $op = { ae b6 8d 86 71 f0 a9 c8 90 66 53 31 ef 7f 1f d2 b4 a8 21 bc 39 77 c2 c2 60 db 24 4a 12 32 f9 69 09 09 46 22 a6 d1 0a 5e a7 dc 62 fa 96 56 ad dd }
+   condition:
+      uint16(0) == 0x5a4d
+      and 1 of them
+}

From 709edc70619f6648e6ee55c798c4ad296264485d Mon Sep 17 00:00:00 2001
From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com>
Date: Mon, 1 Jun 2026 12:17:24 +0200
Subject: [PATCH 3/7] Add IOCs for UNC1549

---
 iocs/c2-iocs.txt | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/iocs/c2-iocs.txt b/iocs/c2-iocs.txt
index 072c501b..4429cd9a 100644
--- a/iocs/c2-iocs.txt
+++ b/iocs/c2-iocs.txt
@@ -1912,4 +1912,18 @@ repocket.com
 env-check.daemontools.cc
 38.180.107.76
 
+# Nimbus Manticore (UNC1549) APT Backdoor 2026-05-26 (MAL, APT)
+globalitconsultants.azurewebsites.net
+globalbusiness-checkers-it.azurewebsites.net
+global-check-business-it.azurewebsites.net
+global-check-itbusiness.azurewebsites.net
+global-it-checkbusiness.azurewebsites.net
+global-it-consultants.azurewebsites.net
+globalit-consultants.azurewebsites.net
+global-it-checkers.azurewebsites.net
+business-dns-ns-joiners.azurewebsites.net
+ebix-exam-join-from-app.azurewebsites.net
+business-joiners-exam.azurewebsiets.net
+join-exam-now-ebix.azurewebsites.net
+
 # Last Line

From 34395034bb8b676b6175d4eb03518bf0a3ff03c7 Mon Sep 17 00:00:00 2001
From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com>
Date: Mon, 1 Jun 2026 12:19:44 +0200
Subject: [PATCH 4/7] Add IOCs for UNC1549 campaign

---
 iocs/filename-iocs.txt | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/iocs/filename-iocs.txt b/iocs/filename-iocs.txt
index 0bcf1ade..1048d16b 100644
--- a/iocs/filename-iocs.txt
+++ b/iocs/filename-iocs.txt
@@ -4577,4 +4577,10 @@ C:\\Windows\\Temp\\imp\.tmp;85
 C:\\Windows\\Temp\\piyu\.exe;85
 C:\\ProgramData\\Microsoft\\mcrypto\.chiper;85
 
+# Nimbus Manticore APT Backdoor (UNC1549) 2026-05-26 (MAL, APT)
+\\AppData\\Local\\VirtualStore\\result\.con;85
+\\CKAConsent\.dll;85
+\\2FAGuard\\main\.dll;85
+\\2FAGuard\\setup\.exe\.config;85
+
 # End

From 1d702a248326b509483c5bf41e2fa2914784c59a Mon Sep 17 00:00:00 2001
From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com>
Date: Mon, 1 Jun 2026 14:26:33 +0200
Subject: [PATCH 5/7] Update apt_apt35_malware_may26.yar

Remove highly specific marker to match SUSP nature of the rule
---
 yara/apt_apt35_malware_may26.yar | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yara/apt_apt35_malware_may26.yar b/yara/apt_apt35_malware_may26.yar
index ef68c1a1..7e5d9660 100644
--- a/yara/apt_apt35_malware_may26.yar
+++ b/yara/apt_apt35_malware_may26.yar
@@ -6,10 +6,10 @@ rule SUSP_ScheduledTasks_Nimbus_Manticore_Persistence_May26 {
       reference = "Internal Research"
       score = 75
    strings:
-	  $a0 = "<Task version=" wide
+      $a0 = "<Task version=" wide
       $a1 = "xmlns=\"http://schemas.microsoft.com/windows/" wide
-      $s1 = "BackupCheck" wide
-      $s2 = "<Arguments>doit" wide
+
+      $x1 = "<Arguments>doit" wide
    condition:
       uint16(0) == 0xfeff
       and all of them

From 32b00a95edc5be22bb292cb4224ee06205be38b1 Mon Sep 17 00:00:00 2001
From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com>
Date: Mon, 1 Jun 2026 15:47:27 +0200
Subject: [PATCH 6/7] Update apt_apt35_malware_may26.yar

Add blog post references and company name to author tag
---
 yara/apt_apt35_malware_may26.yar | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/yara/apt_apt35_malware_may26.yar b/yara/apt_apt35_malware_may26.yar
index 7e5d9660..63dd001b 100644
--- a/yara/apt_apt35_malware_may26.yar
+++ b/yara/apt_apt35_malware_may26.yar
@@ -1,9 +1,9 @@
 rule SUSP_ScheduledTasks_Nimbus_Manticore_Persistence_May26 {
    meta:
       description = "Detects scheduled task used for persistence by Nimbus Manticore (UNC1549). The task is used to persistenly load a custom implant that features data exfiltration and remote control capabilities."
-      author = "Jonathan Peters (cod3nym)"
+      author = "Jonathan Peters (Nextron Systems)"
       date = "2026-05-27"
-      reference = "Internal Research"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
       score = 75
    strings:
       $a0 = "<Task version=" wide
@@ -18,9 +18,9 @@ rule SUSP_ScheduledTasks_Nimbus_Manticore_Persistence_May26 {
 rule MAL_APT_Nimbus_Manticore_Stager_May26 {
    meta:
       description = "Detects .NET based stager using AppDomain Hijacking observed to be used by Nimbus Manticore (UNC1549). The stager drops another payload and establishes persistence via scheduled task."
-      author = "Jonathan Peters (cod3nym)"
+      author = "Jonathan Peters (Nextron Systems)"
       date = "2026-05-20"
-      reference = "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
       hash = "eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71"
       score = 80
    strings:
@@ -49,9 +49,9 @@ rule MAL_APT_Nimbus_Manticore_Stager_May26 {
 rule MAL_APT_Nimbus_Manticore_Agent_May26 {
    meta:
       description = "Detects Nimbus Manticore (UNC1549) agent implant featuring data exfiltration and remote control."
-      author = "Jonathan Peters (cod3nym)"
+      author = "Jonathan Peters (Nextron Systems)"
       date = "2026-05-28"
-      reference = "Internal Research"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
       hash = "dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee"
       score = 80
    strings:
@@ -71,9 +71,9 @@ rule MAL_APT_Nimbus_Manticore_Agent_May26 {
 rule SUSP_Nimbus_Manticore_PDF_Indicators_May26 {
    meta:
       description = "Detects inidcators found in PDF files created by Nimbus Manticore (UNC1549). The PDF files usually contain fake job offers or descriptions to lure victims into installing malware."
-      author = "Jonathan Peters (cod3nym)"
+      author = "Jonathan Peters (Nextron Systems)"
       date = "2026-05-25"
-      reference = "Internal Research"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
       hash = "620c51f4376cb79f0109c21971c28661418ae50b119585e3ffdb8011189fcb7b"
       score = 70
    strings:

From 653634f9d328765a841b54354f30d66962b40275 Mon Sep 17 00:00:00 2001
From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com>
Date: Mon, 1 Jun 2026 15:48:41 +0200
Subject: [PATCH 7/7] Update susp_generic_rules_may26.yar

Add blog post reference and company name to author
---
 yara/susp_generic_rules_may26.yar | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yara/susp_generic_rules_may26.yar b/yara/susp_generic_rules_may26.yar
index 20453975..ddec1005 100644
--- a/yara/susp_generic_rules_may26.yar
+++ b/yara/susp_generic_rules_may26.yar
@@ -1,7 +1,7 @@
 rule SUSP_AppDomainInjection_Keyword_May26 {
    meta:
       description = "Detects link files, archives and binaries that contain keywords related to AppDomain hijacking/injection a technique used by malware to sideload payloads."
-      author = "Jonathan Peters (cod3nym)"
+      author = "Jonathan Peters (Nextron Systems)"
       date = "2026-05-27"
       reference = "https://attack.mitre.org/techniques/T1574/014/"
       hash = "eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71"
@@ -22,9 +22,9 @@ rule SUSP_AppDomainInjection_Keyword_May26 {
 rule SUSP_PE_Contains_Encrypted_Executable_May26 {
    meta:
       description = "Detects executables containing an encrypted embedded payload using parameters commonly observed in malware, suggesting obfuscation or staged execution."
-      author = "Jonathan Peters (cod3nym)"
+      author = "Jonathan Peters (Nextron Systems)"
       date = "2026-05-20"
-      reference = "Internal Research"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
       hash = "eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71"
       score = 70
    strings: