Detecting Nimbus Manticore and their sideloading infection chains

SOC Prime Team

Detecting Nimbus Manticore and their sideloading infection chains

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Nimbus Manticore, also tracked as UNC1549, carried out a targeted phishing campaign that used fake recruitment portals to deliver a multi-stage .NET malware chain. The attack abused legitimate Microsoft Visual Studio components together with AppDomain hijacking to load a custom DLL, which then deployed a second-stage DLL and created persistence through a scheduled task. Command-and-control infrastructure was hosted on Azure-based domains. The campaign primarily targeted aerospace and defense organizations across the Middle East and Europe.

Investigation

Researchers reconstructed the full infection chain, starting with the LinkedIn lure and continuing through the ZIP archive, the altered setup.exe.config file, and the encrypted stager. Their analysis revealed abuse of a renamed ServiceHub.VSDetouredHost.exe, the TOTPGuard.dll loader, an AES-encrypted PE header, and a logon-triggered scheduled task named BackupCheck. Network indicators also pointed to several Azure-hosted domains used for command-and-control communications.

Mitigation

Organizations should train employees to spot recruitment-themed social engineering, block or closely monitor newly registered domains, and enforce AppLocker or equivalent controls on user-writable directories. Defenders should also watch for scheduled tasks named BackupCheck or executions using the doit argument. Monitoring for AppDomain hijacking behavior in .NET applications and suspicious traffic to Azure-hosted command-and-control domains is also recommended.

Response

If related activity is detected, isolate the affected endpoint, collect the malicious binaries and scheduled task definition, and block the associated Azure domains as well as the fake recruitment portal. Investigators should perform forensic review of the AppData\2FAGuard folder, remove the persistence task, and hunt for similar activity on other systems using the same YARA signatures. Detection logic should then be updated with the newly identified indicators.

graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef file fill:#ccffcc classDef process fill:#ffdddd %% Nodes action_phishing[“Action – T1566.002 Spearphishing Link Victims receive LinkedIn messages that impersonate a recruiter and contain a malicious link to a fake hiring portal.”] class action_phishing action action_delivery[“Action – Delivery via malicious ZIP The fake portal provides a ZIP file that contains a disguised Microsoft binary and hidden files.”] class action_delivery action file_malicious_zip[“File – Name: payload.zip Contains: setup.exe and additional hidden files”] class file_malicious_zip file file_setup_exe[“File – Name: setup.exe (renamed ServiceHub.VSDetouredHost.exe) Signature: Valid Microsoft code signing”] class file_setup_exe file action_execution_proxy[“Action – T1218 System Binary Proxy Execution Uses the signed Microsoft binary as a proxy to execute malicious code.”] class action_execution_proxy action action_masquerade[“Action – T1036.001 Invalid Code Signature Masquerading Renames the legitimate signed binary to appear benign and evade detection.”] class action_masquerade action action_hijack_path[“Action – T1574.008 Search Order Hijacking Crafted setup.exe.config manipulates the search order to load attacker‑controlled components.”] class action_hijack_path action action_hijack_appdomain[“Action – T1574.014 AppDomainManager Hijack Forces the .NET runtime to load the malicious TOTPGuard.dll via the AppDomainManager setting.”] class action_hijack_appdomain action file_totpguard[“File – Name: TOTPGuard.dll Purpose: Provides a custom 2FA function used by the malicious payload.”] class file_totpguard file action_ide_extension[“Action – T1176.002 IDE Extensions Abuses the Visual Studio IDE host component to execute the payload.”] class action_ide_extension action action_persistence[“Action – T1037.001 Scheduled Task Creates a scheduled task named \”BackupCheck\” that runs at user logon with argument \”doit\”.”] class action_persistence action action_env_keying[“Action – T1480.001 Environmental Keying Deploys an AES‑encrypted payload with a hard‑coded key and IV, encrypting the MZ header for conditional execution.”] class action_env_keying action action_virtual_instance[“Action – T1564.006 Run Virtual Instance Embeds a functional 2FA GUI to blend with legitimate workflow and hide malicious activity.”] class action_virtual_instance action %% Connections action_phishing –>|delivers| action_delivery action_delivery –>|provides| file_malicious_zip file_malicious_zip –>|contains| file_setup_exe file_setup_exe –>|used for| action_execution_proxy action_execution_proxy –>|combined with| action_masquerade action_masquerade –>|enables| action_hijack_path action_hijack_path –>|leads to| action_hijack_appdomain action_hijack_appdomain –>|loads| file_totpguard file_totpguard –>|enables| action_ide_extension action_ide_extension –>|supports| action_persistence action_persistence –>|establishes| action_env_keying action_env_keying –>|facilitates| action_virtual_instance

Attack Flow

Attack Narrative & Commands:
An attacker has obtained a copy of the legitimate Visual Studio setup.exe binary, renamed it to setup.exe (keeping the name unchanged to avoid suspicion), and placed it in a writable directory. They craft a malicious DLL named TOTPGuard.dll that contains the payload. To hijack the AppDomain, they embed the string AppDomainInjection in the PDB path argument. The attacker then launches the executable with the following command line:
```
C:Tempsetup.exe /install /doit /dll "C:TempTOTPGuard.dll" /pdb "C:TempAppDomainInjection.pdb"
```
This exact invocation satisfies all three CommandLine|contains conditions in the Sigma rule, causing the rule to fire on the ProcessCreate event.

Regression Test Script:

# -------------------------------------------------
# Regression script to trigger the Nimbus Manticore detection
# -------------------------------------------------
$exePath   = "C:Tempsetup.exe"
$dllPath   = "C:TempTOTPGuard.dll"
$pdbPath   = "C:TempAppDomainInjection.pdb"

# Ensure the files exist (create dummy placeholders for the test)
New-Item -ItemType File -Path $exePath -Force | Out-Null
New-Item -ItemType File -Path $dllPath -Force | Out-Null
New-Item -ItemType File -Path $pdbPath -Force | Out-Null

# Build the malicious command line
$arguments = @(
    "/install"
    "/doit"
    "/dll `"$dllPath`""
    "/pdb `"$pdbPath`""
) -join " "

Write-Host "Launching malicious setup.exe with arguments:"
Write-Host $arguments

# Execute the process (will terminate immediately as dummy exe does nothing)
Start-Process -FilePath $exePath -ArgumentList $arguments -PassThru | Out-Null

Cleanup Commands:

# -------------------------------------------------
# Cleanup artifacts created for the regression test
# -------------------------------------------------
$paths = @(
    "C:Tempsetup.exe",
    "C:TempTOTPGuard.dll",
    "C:TempAppDomainInjection.pdb"
)

foreach ($p in $paths) {
    if (Test-Path $p) {
        Remove-Item -Path $p -Force
        Write-Host "Removed $p"
    }
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free