Iranian hackers have taken their cyberespionage playbook to a new level, deploying a sophisticated .NET hijacking technique to slip past endpoint defenses and target organizations across the United States, Israel, and the United Arab Emirates.
The campaign intensified following a regional conflict that began on February 28, 2026, attributed to an Iran-linked advanced persistent threat group operating under several known aliases.
Security researchers have been tracking a rapid surge in activity that shows no signs of stopping. The threat group, known as Screening Serpens and also identified as UNC1549, Smoke Sandstorm, and Iranian Dream Job, has been active since at least 2022.
Historically focused on Middle Eastern targets, the group expanded into Western Europe in late 2025. Their preferred targets sit inside high-value sectors including aerospace, defense manufacturing, and telecommunications.
They reach victims through personalized social engineering, using fake job listings and spoofed meeting invitations to lure professionals into downloading malicious files.
Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.
Unit 42 said in a report shared with Cyber Security News (CSN) that the campaigns align closely with the conflict timeline, with coordinated attacks hitting entities in the U.S. and Israel in late March, followed by targets in the UAE and another Middle Eastern country in mid-April 2026.
Both malware families begin their infection chains through spear phishing. Victims receive what appears to be a recruitment portal or a video conferencing app installer.
Once they interact with the file, a silent multi-stage infection chain kicks off in the background, and the attacker quietly gains full control over the compromised machine.
AppDomainManager Hijacking
The most significant technical leap in this campaign is the use of a technique called AppDomainManager hijacking.
This method targets the initialization phase of .NET applications by modifying a legitimate configuration file, allowing malicious code to run before the host application even finishes loading. Since this happens so early, most security tools do not get a chance to detect it.
By adding a few targeted XML lines to the application’s config file, attackers instruct the .NET runtime to disable its own security features.
They turn off Event Tracing for Windows (ETW), the primary data source that modern endpoint detection and response (EDR) platforms rely on to monitor .NET activity.
They also bypass strong-name signature validation, ensuring that unsigned DLL files load without triggering security exceptions.
This approach is described as a mature living-off-the-land technique because it requires no complex shellcode or memory patching.
The attacker simply asks the system to turn off its own defenses using a file that looks entirely legitimate. The result is a payload running in a completely unmonitored, highly privileged environment with no alerts raised.
Infection Chain and Social Engineering Tactics
The MiniUpdate family was delivered through archives impersonating a global airline and a popular video conferencing platform.
One archive contained six fake job description PDFs with believable job IDs and titles such as Senior Software Engineer, targeting IT and engineering professionals.
A nested payload inside a file named Hiring Portal.zip launched a fake error window while the malware quietly installed itself.
For persistence, the malware used Windows Task Scheduler, creating a daily trigger at 09:30 local time. The MiniJunk V2 family used an older configuration method but added heavy code obfuscation and file size inflation to bypass automated scanning limits.
Command-and-control traffic was routed through Azure-hosted domains that mimicked legitimate Windows service names, making network-level detection significantly harder.
Researchers recommend that defenders tune EDR platforms specifically to flag DLL sideloading and AppDomainManager hijacking behaviors, rather than relying solely on signature-based detection.
Treating trusted, signed binaries that load unsigned modules as high-risk will help security teams catch these attacks much earlier. Organizations in aerospace, defense, and technology should stay alert to fake job offers or meeting invitations arriving through unofficial channels.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | licencemanagers.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | LicenceSupporting.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | PeerDistSvcManagers.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | ThemesManagers.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | ThemesProviderManagers.azurewebsites[.]net | MiniJunk V2 C2 domain |
| Domain | NanoMatrix.azurewebsites[.]net | MiniJunk V2 U.S. Campaign C2 |
| Domain | QuantumWeave.azurewebsites[.]net | MiniJunk V2 U.S. Campaign C2 |
| Domain | ElementShift.azurewebsites[.]net | MiniJunk V2 U.S. Campaign C2 |
| Domain | buisness-centeral.azurewebsites[.]net | MiniUpdate C2 domain |
| Domain | buisness-centeral-transportation.azurewebsites[.]net | MiniUpdate C2 domain |
| Domain | Buisness-centeral-transportation[.]com | MiniUpdate C2 domain |
| Domain | PremierHealthAdvisory[.]com | MiniUpdate UAE Campaign C2 |
| Domain | PremierHealthAdvisory.azurewebsites[.]net | MiniUpdate UAE Campaign C2 |
| Domain | Premier-HealthAdvisory.azurewebsites[.]net | MiniUpdate UAE Campaign C2 |
| Domain | Ramiltonsfinance[.]com | MiniUpdate Middle East Campaign C2 |
| Domain | Ramiltonsfinance.azurewebsites[.]net | MiniUpdate Middle East Campaign C2 |
| Domain | Ramiltons-finance.azurewebsites[.]net | MiniUpdate Middle East Campaign C2 |
| Domain | business-startup[.]org | Associated C2 infrastructure |
| Domain | business-startup.azurewebsites[.]net | Associated C2 infrastructure |
| Domain | docspace-y4cumb.onlyoffice[.]com | ONLYOFFICE payload delivery |
| Domain | docspace-twpf0e.onlyoffice[.]com | ONLYOFFICE payload delivery |
| URL | hxxps[:]//docspace-y4cumb.onlyoffice[.]com/storage/files/root/folder_3602000/file_3601577/v1/content.zip | MiniJunk V2 payload URL |
| URL | hxxps[:]//docspace-twpf0e.onlyoffice[.]com/storage/files/root/.../content.zip | MiniJunk V2 U.S. Campaign payload URL |
| URL | hxxps[:]//2117.filemail[.]com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm | MiniUpdate Israel payload URL |
| SHA256 | 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 | MiniUpdate U.S. Campaign — Initial archive |
| SHA256 | 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 | MiniUpdate U.S. Campaign — Hiring Portal.zip |
| SHA256 | 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864 | MiniUpdate U.S. Campaign — UpdateChecker.dll |
| SHA256 | 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d | MiniUpdate Israel Campaign — Initial archive |
| SHA256 | d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 | MiniUpdate Israel Campaign — UpdateChecker.dll |
| SHA256 | bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad | MiniUpdate UAE/Middle East Campaign — UpdateChecker.dll |
| SHA256 | 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 | MiniUpdate Middle East Campaign |
| SHA256 | 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 | MiniJunk V2 Middle East — uevmonitor.dll |
| SHA256 | B19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 | MiniJunk V2 Middle East — unbcl.dll |
| SHA256 | 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b | MiniJunk V2 U.S. — Portable Platform.zip |
| SHA256 | 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa | MiniJunk V2 U.S. — Connection.dll |
| SHA256 | 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 | MiniJunk V2 U.S. — unbcl.dll |
| File Name | UpdateChecker.dll | MiniUpdate core RAT payload |
| File Name | uevmonitor.dll | MiniJunk V2 primary loader |
| File Name | Connection.dll | MiniJunk V2 U.S. Campaign RAT payload |
| File Name | unbcl.dll | Social engineering decoy DLL |
| File Name | Hiring Portal.zip | Malicious archive delivery file |
| File Name | Portable platform.zip | MiniJunk V2 U.S. Campaign delivery archive |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
