Overview
- Check Point Research and Palo Alto Unit 42 say the IRGC‑affiliated group ran three waves of operations from February through April 2026 that targeted aviation, software, energy and telecom organizations across the U.S., Europe and the Middle East.
- The campaign introduced a previously undocumented backdoor named MiniFast (also called MiniUpdate) that operates as a full remote access implant and replaced earlier MiniJunk variants.
- Delivery methods evolved across the waves from career‑themed phishing and OnlyOffice‑hosted ZIPs to trojanized Zoom installers and, for the first time observed for this group, SEO poisoning that pushed a fake Oracle SQL Developer download page.
- Analysts found coding patterns in loaders and MiniFast consistent with AI‑assisted development, such as verbose naming, excessive error checks and debug‑style strings, which likely sped malware creation and enabled faster, modular tool changes.
- The shift to opportunistic search‑driven distribution and faster tooling raises the danger to critical infrastructure operators and software developers because victims can be infected without direct phishing and defenders face harder detection and attribution.