A new wave of targeted espionage attacks has put technology professionals across the United States, Israel, and the United Arab Emirates on high alert.
The threat comes from an Iran-linked hacking group deploying two families of remote access trojans through cleverly disguised recruitment lures and fake software installers.
The campaign began as early as mid-February 2026 and continued expanding, with fresh samples appearing as recently as mid-April. Researchers believe the surge closely follows a Middle East regional conflict that started on February 28, 2026.
The group behind these intrusions is tracked as Screening Serpens, also known by the aliases UNC1549, Smoke Sandstorm, and Iranian Dream Job.
It has been active since at least 2022 and historically focused on Middle Eastern targets before expanding into Western Europe in late 2025. Six newly discovered RAT variants have been grouped into two malware families: a new one called MiniUpdate, and an upgraded tool called MiniJunk V2.
Analysts at Unit 42 identified these variants and assessed with moderate-high confidence that Screening Serpens is behind the operation.
Unit 42 said in a report shared with Cyber Security News (CSN) that both families are delivered through spear-phishing lures impersonating trusted brands and hiring platforms.
Victims receive fake job applications or spoofed meeting invitations crafted to look completely genuine. Once a target opens the malicious archive and runs the included file, the infection chain quietly begins while the victim sees nothing unusual on screen.
MiniUpdate RAT Uses Azure-Hosted C2 Domains
The MiniUpdate RAT is the more technically advanced of the two families and uses a technique called AppDomainManager hijacking.
By altering a legitimate configuration file, the malware instructs the .NET runtime to disable its own security features before the host application fully loads. The result is a payload running in an environment where standard security monitoring tools are already blinded.
The configuration disables Event Tracing for Windows, a key telemetry source that security software uses to detect suspicious behavior, and also bypasses digital signature checks.
The malware creates a scheduled task that fires daily at 09:30 local time, keeping it alive through system reboots. Command and control traffic routes through Azure-hosted domains assigned to each specific target, preventing any single detection point from exposing the broader infrastructure.
The March U.S. campaign delivered the RAT inside an archive disguised as airline recruitment materials, complete with fake job descriptions for senior technical roles.
The Israel campaign that same month used an archive impersonating a video conferencing installer, with a spoofed loading screen shown to the user while the malware silently deployed behind the scenes.
MiniJunk V2: Obfuscated Backdoor Targeting Tech and Defense
The MiniJunk V2 family, first spotted on February 17, 2026, takes a different approach to staying hidden. It inflates its file size to around 12 megabytes by embedding thousands of meaningless code strings from languages like Java and Python, pushing the file past the scanning limits of certain automated security tools.
This also floods analysis software with irrelevant data, making manual investigation significantly harder.
The malware uses two layers of DLL sideloading to deploy its payload and connects to five Azure-hosted command servers whose names are designed to resemble legitimate Windows service processes.
The March U.S. variant includes a hard-coded date check that prevents the RAT from activating before March 27, 2026, at 13:30 UTC, making early sandbox analysis nearly useless.
A fake “Meeting Room” window is shown to the victim to keep attention away from what is running in the background.
Security teams are advised to configure endpoint detection tools to flag DLL sideloading and AppDomainManager hijacking as high-risk behaviors, rather than relying solely on known file signatures.
Monitoring for trusted binaries that load unsigned or unrecognized modules adds an important detection layer against this type of attack.
Organizations in aerospace, defense, telecommunications, and technology should treat unsolicited job-related archives or unexpected software update prompts with strong suspicion, as these remain the group’s preferred entry points.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | licencemanagers.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | LicenceSupporting.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | PeerDistSvcManagers.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | ThemesManagers.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | ThemesProviderManagers.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | NanoMatrix.azurewebsites[.]net | MiniJunk V2 US Campaign C2 |
| Domain | QuantumWeave.azurewebsites[.]net | MiniJunk V2 US Campaign C2 |
| Domain | ElementShift.azurewebsites[.]net | MiniJunk V2 US Campaign C2 |
| Domain | buisness-centeral.azurewebsites[.]net | MiniUpdate C2 domain |
| Domain | buisness-centeral-transportation.azurewebsites[.]net | MiniUpdate C2 domain |
| Domain | Buisness-centeral-transportation[.]com | MiniUpdate C2 domain |
| Domain | PremierHealthAdvisory[.]com | MiniUpdate UAE Campaign C2 |
| Domain | PremierHealthAdvisory.azurewebsites[.]net | MiniUpdate UAE Campaign C2 |
| Domain | Premier-HealthAdvisory.azurewebsites[.]net | MiniUpdate UAE Campaign C2 |
| Domain | Ramiltonsfinance[.]com | MiniUpdate Middle East Campaign C2 |
| Domain | Ramiltonsfinance.azurewebsites[.]net | MiniUpdate Middle East Campaign C2 |
| Domain | Ramiltons-finance.azurewebsites[.]net | MiniUpdate Middle East Campaign C2 |
| Domain | business-startup[.]org | Screening Serpens infrastructure |
| Domain | business-startup.azurewebsites[.]net | Screening Serpens infrastructure |
| Domain | docspace-y4cumb.onlyoffice[.]com | Payload delivery host (ONLYOFFICE) |
| Domain | docspace-twpf0e.onlyoffice[.]com | Payload delivery host (ONLYOFFICE) |
| URL | hxxps[:]//docspace-y4cumb.onlyoffice[.]com/storage/files/root/folder_3602000/file_3601577/v1/content.zip | MiniJunk V2 payload delivery URL |
| URL | hxxps[:]//docspace-twpf0e.onlyoffice[.]com/storage/files/root/folder_3765000/file_3764519/v1/content.zip | MiniJunk V2 US campaign delivery URL |
| URL | hxxps[:]//2117.filemail[.]com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm | MiniUpdate Israel campaign payload URL |
| SHA256 | 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 | MiniUpdate US campaign – initial archive |
| SHA256 | 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 | MiniUpdate US campaign – Hiring Portal.zip |
| SHA256 | 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864 | MiniUpdate US campaign – UpdateChecker.dll |
| SHA256 | 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d | MiniUpdate Israel campaign – initial archive |
| SHA256 | d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 | MiniUpdate Israel campaign – UpdateChecker.dll |
| SHA256 | bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad | MiniUpdate UAE/Middle East – UpdateChecker.dll |
| SHA256 | 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 | MiniUpdate Middle East campaign |
| SHA256 | 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 | MiniJunk V2 Middle East – uevmonitor.dll |
| SHA256 | b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 | MiniJunk V2 Middle East – unbcl.dll |
| SHA256 | 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b | MiniJunk V2 US campaign – Portable Platform.zip |
| SHA256 | 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa | MiniJunk V2 US campaign – Connection.dll |
| SHA256 | 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 | MiniJunk V2 US campaign – unbcl.dll |
| File Name | UpdateChecker.dll | MiniUpdate RAT core payload |
| File Name | uevmonitor.dll | MiniJunk V2 primary loader DLL |
| File Name | Connection.dll | MiniJunk V2 US campaign RAT payload |
| File Name | Hiring Portal.zip | Lure archive used in US/Israel campaigns |
| File Name | Portable platform.zip | Lure archive used in US MiniJunk V2 campaign |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
