Cybersecurity experts are sounding the alarm as two large-scale threat campaigns reveal the evolving landscape of state-sponsored espionage and global cybercrime.
Check Point Research, the Threat Intelligence division of Check Point Software Technologies, has exposed both a surge in Iranian-linked espionage operations across Europe and a sprawling fraud network designed to exploit the FIFA World Cup 2026.
Iranian APT Group expands into Europe
Traditionally focused on the Middle East, the Iranian-backed group Nimbus Manticore, also known as UNC1549 or Smoke Sandstorm, has shifted its operations to Western Europe. According to Check Point Research, the advanced persistent threat (APT) is targeting defense contractors, aerospace firms, and telecommunications companies in Denmark, Sweden, and Portugal.
The campaign relies on fake job portals that mimic major corporations such as Boeing, Airbus, and Rheinmetall. Victims are lured with customized login credentials, which deliver malware-laden files. New malicious tools include MiniJunk, designed to maintain long-term access using novel DLL sideloading techniques, and MiniBrowse, which harvests browser credentials from Chrome and Edge.
Attackers have also moved infrastructure to cloud-based platforms like Azure App Service and Cloudflare, increasing resilience and anonymity. These campaigns align with the intelligence priorities of Iran’s Islamic Revolutionary Guard Corps (IRGC), signaling a long-term, strategic espionage effort at a time of heightened geopolitical tensions.
Websites used to deliver malicious archives after successful login (Image by Check Point Research).
“The latest Nimbus Manticore activity marks a qualitative leap in how state-linked actors combine sophisticated malware with advanced infrastructures to strike sensitive European targets,” said Eusebio Nieva, Technical Director at Check Point Software for Spain and Portugal.
Global cybercrime targets FIFA World Cup 2026
Alongside state-sponsored operations, Check Point Research has uncovered a global cyberfraud network capitalizing on the FIFA World Cup 2026. More than 4,300 fake domains have been registered, many imitating FIFA and host cities such as Dallas, Miami, Toronto, and Mexico City. Some domains even reference future tournaments in 2030 and 2034, suggesting long-term criminal planning.
The fraudulent infrastructure includes phishing kits, fake ticketing portals, and botnets engineered to overwhelm official ticket sales. These tools are capable of manipulating dynamic pricing and monopolizing high-demand seats, undermining FIFA’s systems and leaving fans vulnerable to financial fraud and malware.
Beyond fans, the risks extend to FIFA sponsors, host cities, and online platforms, which may suffer brand abuse, illegal trade, and reputational damage. “What we’re seeing is not isolated cybercrime, but the construction of large-scale infrastructure aligned with FIFA’s official calendar,” said Rafael López, Security Engineer at Check Point Software.
A call for vigilance
The two cases highlight the breadth of today’s cyber risks: from state-backed espionage campaigns against critical industries to globally orchestrated fraud targeting mass audiences. Check Point Research emphasizes the need for multilayered security strategies that combine advanced threat prevention, domain monitoring, and public awareness campaigns.
For businesses, the message is clear: cybersecurity can no longer be reactive. Whether protecting sensitive defense projects or safeguarding global sports fans, resilience depends on anticipating adversaries who innovate constantly and operate at global scale.
Sources:
- Check Point Research PR.
