threatcode · pull · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
diff --git a/iocs/c2-iocs.txt b/iocs/c2-iocs.txt
@@ -1912,4 +1912,18 @@ repocket.com
 env-check.daemontools.cc
 38.180.107.76
 
+# Nimbus Manticore (UNC1549) APT Backdoor 2026-05-26 (MAL, APT)
+globalitconsultants.azurewebsites.net
+globalbusiness-checkers-it.azurewebsites.net
+global-check-business-it.azurewebsites.net
+global-check-itbusiness.azurewebsites.net
+global-it-checkbusiness.azurewebsites.net
+global-it-consultants.azurewebsites.net
+globalit-consultants.azurewebsites.net
+global-it-checkers.azurewebsites.net
+business-dns-ns-joiners.azurewebsites.net
+ebix-exam-join-from-app.azurewebsites.net
+business-joiners-exam.azurewebsiets.net
+join-exam-now-ebix.azurewebsites.net
+
 # Last Line
diff --git a/iocs/filename-iocs.txt b/iocs/filename-iocs.txt
@@ -4577,4 +4577,10 @@ C:\\Windows\\Temp\\imp\.tmp;85
 C:\\Windows\\Temp\\piyu\.exe;85
 C:\\ProgramData\\Microsoft\\mcrypto\.chiper;85
 
+# Nimbus Manticore APT Backdoor (UNC1549) 2026-05-26 (MAL, APT)
+\\AppData\\Local\\VirtualStore\\result\.con;85
+\\CKAConsent\.dll;85
+\\2FAGuard\\main\.dll;85
+\\2FAGuard\\setup\.exe\.config;85
+
 # End
diff --git a/yara/apt_apt35_malware_may26.yar b/yara/apt_apt35_malware_may26.yar
@@ -0,0 +1,83 @@
+rule SUSP_ScheduledTasks_Nimbus_Manticore_Persistence_May26 {
+   meta:
+      description = "Detects scheduled task used for persistence by Nimbus Manticore (UNC1549). The task is used to persistenly load a custom implant that features data exfiltration and remote control capabilities."
+      author = "Jonathan Peters (Nextron Systems)"
+      date = "2026-05-27"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
+      score = 75
+   strings:
+      $a0 = "<Task version=" wide
+      $a1 = "xmlns=\"http://schemas.microsoft.com/windows/" wide
+
+      $x1 = "<Arguments>doit" wide
+   condition:
+      uint16(0) == 0xfeff
+      and all of them
+}
+
+rule MAL_APT_Nimbus_Manticore_Stager_May26 {
+   meta:
+      description = "Detects .NET based stager using AppDomain Hijacking observed to be used by Nimbus Manticore (UNC1549). The stager drops another payload and establishes persistence via scheduled task."
+      author = "Jonathan Peters (Nextron Systems)"
+      date = "2026-05-20"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
+      hash = "eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71"
+      score = 80
+   strings:
+      $x1 = "MyCompany-Product-TOTP-Salt-2024!@#$" wide fullword
+      $x2 = "TOTPGuardRunner" ascii fullword
+      $x3 = "\\AppDomainInjection-metlifeScenario\\TOTP" ascii
+
+      $sa1 = "EncData" ascii fullword
+      $sa2 = "DecryptAndSaveToDesktop" ascii fullword
+      $sa3 = "CopyHelloToDesktop" ascii fullword
+
+      $sb1 = "doit" wide fullword
+      $sb2 = "DailyTrigger" wide fullword
+      $sb3 = "GetTypeFromCLSID" ascii
+      $sb4 = "yyyy-MM-ddTHH:mm:ss" wide fullword
+   condition:
+      uint16(0) == 0x5a4d
+      and
+      (
+         1 of ($x*)
+         or all of ($sa*)
+         or all of ($sb*)
+      )
+}
+
+rule MAL_APT_Nimbus_Manticore_Agent_May26 {
+   meta:
+      description = "Detects Nimbus Manticore (UNC1549) agent implant featuring data exfiltration and remote control."
+      author = "Jonathan Peters (Nextron Systems)"
+      date = "2026-05-28"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
+      hash = "dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee"
+      score = 80
+   strings:
+      $a1 = "Chrome/146.0.0.0 Safari/537.36" wide
+      $a2 = ".azurewebsites.net" wide
+
+      $s1 = "/agent/poll?token=" wide fullword
+      $s2 = "/agent/init" wide fullword
+      $s3 = "/agent/result" wide fullword
+   condition:
+      uint16(0) == 0x5a4d
+      and 1 of ($a*) 
+      and 1 of ($s*)
+      or 3 of them
+}
+
+rule SUSP_Nimbus_Manticore_PDF_Indicators_May26 {
+   meta:
+      description = "Detects inidcators found in PDF files created by Nimbus Manticore (UNC1549). The PDF files usually contain fake job offers or descriptions to lure victims into installing malware."
+      author = "Jonathan Peters (Nextron Systems)"
+      date = "2026-05-25"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
+      hash = "620c51f4376cb79f0109c21971c28661418ae50b119585e3ffdb8011189fcb7b"
+      score = 70
+   strings:
+      $op = { 3C 3C 2F 41 75 74 68 6F 72 28 4A 65 72 72 79 29 20 2F 43 72 65 61 74 6F 72 28 FE FF 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 AE 00 20 00 57 00 6F 00 72 00 64 00 20 00 4C 00 54 00 53 00 43 29 }
+   condition:
+      1 of them
+}
diff --git a/yara/susp_generic_rules_may26.yar b/yara/susp_generic_rules_may26.yar
@@ -0,0 +1,36 @@
+rule SUSP_AppDomainInjection_Keyword_May26 {
+   meta:
+      description = "Detects link files, archives and binaries that contain keywords related to AppDomain hijacking/injection a technique used by malware to sideload payloads."
+      author = "Jonathan Peters (Nextron Systems)"
+      date = "2026-05-27"
+      reference = "https://attack.mitre.org/techniques/T1574/014/"
+      hash = "eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71"
+      score = 70
+   strings:
+      $x1 = "AppDomainInjection" ascii wide fullword
+      $x2 = "AppDomainHijack" ascii wide fullword
+   condition:
+      (
+         uint16(0) == 0x5a4d // PE
+         or uint16(0) == 0x4b50 // ZIP
+         or uint32(0x8000) == 0x30444301 // ISO
+         or uint16(0) == 0x004c and uint32(4) == 0x00021401 // LNK
+      )
+      and 1 of ($x*)
+}
+
+rule SUSP_PE_Contains_Encrypted_Executable_May26 {
+   meta:
+      description = "Detects executables containing an encrypted embedded payload using parameters commonly observed in malware, suggesting obfuscation or staged execution."
+      author = "Jonathan Peters (Nextron Systems)"
+      date = "2026-05-20"
+      reference = "https://www.nextron-systems.com/2026/06/01/detecting-nimbus-manticore-and-their-sideloading-infection-chains/"
+      hash = "eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71"
+      score = 70
+   strings:
+      // MZ header AES encrypted with key: 1234567890123456 and IV: abcdefghijklmnop
+      $op = { ae b6 8d 86 71 f0 a9 c8 90 66 53 31 ef 7f 1f d2 b4 a8 21 bc 39 77 c2 c2 60 db 24 4a 12 32 f9 69 09 09 46 22 a6 d1 0a 5e a7 dc 62 fa 96 56 ad dd }
+   condition:
+      uint16(0) == 0x5a4d
+      and 1 of them
+}