https://feed.craftedsignal.io/products/minijunk/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 22 May 2026 15:18:05 +0000https://feed.craftedsignal.io/briefs/2026-05-nimbus-manticore/Fri, 22 May 2026 15:18:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-nimbus-manticore/Nimbus Manticore, an Iranian IRGC-affiliated threat actor, resurfaced during Operation Epic Fury, employing AppDomain Hijacking, SEO poisoning, and a new MiniFast backdoor while targeting the aviation and software sectors.Nimbus Manticore (UNC1549), an Iranian IRGC-affiliated threat actor, resurfaced during Operation Epic Fury in February 2026, targeting the defense, aviation, and telecommunication sectors. The actor employed new techniques, including AppDomain Hijacking, AI-assisted malware development for its MiniFast backdoor, and SEO poisoning, demonstrating enhanced capabilities. The campaign used phishing lures impersonating organizations in the aviation and software sectors across the United States, Europe, and the Middle East. The actor also abused a Zoom installer’s execution flow to stage a time-sensitive infection chain, blending malicious activity with legitimate system processes. This resurgence indicates the actor’s rapid adaptation and operational availability during periods of geopolitical tension.

Attack Chain

1. Initial Access: Spear-phishing emails are sent to employees in the aviation and software sectors with fake career opportunities.
2. Lure Delivery: Victims are directed to download a ZIP archive hosted on platforms like OnlyOffice.
3. AppDomain Hijacking: The ZIP file contains a benign Setup.exe, a malicious Setup.exe.config file that hijacks the application domain, uevmonitor.dll (first-stage dropper), and a benign Interop.TaskScheduler.dll.
4. First Stage Execution: Executing Setup.exe loads uevmonitor.dll, which extracts and deploys the next-stage payload.
5. MiniJunk Deployment: The dropper writes files into C:\Users\<USER>\AppData\Local\Packages\, including a legitimate executable for DLL sideloading and a malicious DLL identified as a new version of the MiniJunk backdoor.
6. Zoom Installer Abuse: A malicious DLL is sideloaded into a legitimate Zoom installer to execute code.
7. MiniFast Backdoor Installation: The new MiniFast backdoor is installed, providing remote access and control.
8. Persistence and Data Exfiltration: The MiniFast backdoor establishes persistence and begins exfiltrating data from the compromised system.

Impact

The Nimbus Manticore campaign targeted organizations in the aviation and software sectors across the United States, Europe, and the Middle East. Successful exploitation leads to the installation of the MiniFast backdoor, enabling data exfiltration and potential disruption of operations. This can compromise sensitive information, intellectual property, and critical infrastructure within the targeted sectors. The actor’s enhanced capabilities, including AI-assisted malware development, allow for rapid adaptation and increased operational effectiveness during periods of conflict.

Recommendation

• Monitor process creation events for Setup.exe loading DLLs from unusual locations, specifically uevmonitor.dll, to detect AppDomain Hijacking (see Sigma rule Detect AppDomain Hijacking via Setup.exe).
• Implement network monitoring for connections to known malicious domains associated with Nimbus Manticore, such as those listed in the referenced Checkpoint report.
• Enable Sysmon logging for process creation and file creation events to capture the full attack chain, including the execution of Setup.exe and the creation of files in the C:\Users\<USER>\AppData\Local\Packages\ directory.
• Deploy the Sigma rule Detect MiniJunk File Creation to identify files written to the user’s AppData\Local\Packages directory, which is indicative of MiniJunk deployment.

]]>highthreatnimbus-manticoreirgcappdomain-hijackingseo-poisoningminijunkminifastinfostealerhttps://feed.craftedsignal.io/briefs/2026-05-screening-serpens/Fri, 22 May 2026 13:09:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-screening-serpens/The Iranian APT group Screening Serpens targeted the tech and defense sectors in the U.S., Israel, and the UAE between February and April 2026, deploying six new RAT variants from the MiniUpdate and MiniJunk V2 malware families, using tailored social engineering lures and AppDomainManager hijacking.Unit 42 researchers observed cyberattacks by Screening Serpens, an Iran-nexus APT group, targeting entities in the U.S., Israel, and the UAE, as well as two additional Middle Eastern entities, between February and April 2026. The group deployed six new remote access Trojan (RAT) variants, categorized into the MiniUpdate and MiniJunk V2 malware families. Screening Serpens primarily targets technology sector professionals, using tailored social engineering lures that impersonate trusted brands and hiring platforms. The most critical evolution in the group’s recent campaign uses a technique called AppDomainManager hijacking. These campaigns align closely with the regional conflict that started in the Middle East on Feb. 28, 2026.

Attack Chain

1. Initial Access: The attack begins with highly tailored spear-phishing emails impersonating trusted brands and hiring platforms, specifically targeting technical personnel. These emails contain a ZIP archive (e.g., initial archive file 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250), often mimicking legitimate corporate job applications by including specific job IDs.
2. Delivery: The ZIP archive contains a nested payload archive (e.g., Hiring Portal.zip hash 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17) packaged alongside PDF documents. These PDFs are crafted job requisitions targeting high-level IT and engineering roles.
3. Execution: The target is tricked into extracting the nested archive, believing they are accessing an application portal or a technical assessment. DLL sideloading is used for execution within the extracted files.
4. AppDomainManager Hijacking: The attackers employ AppDomainManager hijacking. This technique manipulates the initialization phase of .NET applications to proactively disable the application’s own security mechanisms via a legitimate configuration file.
5. Payload Deployment: The disabled security in these apps leaves the targeted entities vulnerable to the deployed multi-functional RATs (MiniUpdate or MiniJunk V2). For example, UpdateChecker.dll (0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864) is deployed.
6. Command and Control: The RAT establishes command and control (C2) communication with attacker-controlled infrastructure (e.g., themesmanangers.azurewebsites[.]net) over HTTP/HTTPS.
7. Data Exfiltration: The RAT exfiltrates sensitive information from the compromised system. The MiniUpdate variant, in particular, has the ability to exfiltrate files in chunks.
8. Espionage: The attacker gains access to sensitive information, enabling cyberespionage aligned with Iranian intelligence objectives, particularly targeting aerospace, defense manufacturing, and telecommunications organizations.

Impact

Screening Serpens’ campaigns targeted entities in the U.S., Israel, and the UAE, as well as two additional Middle Eastern entities, potentially compromising sensitive data and intellectual property. The targeted sectors include aerospace, defense manufacturing, and telecommunications. If successful, these attacks can lead to significant financial losses, reputational damage, and the compromise of national security interests. The campaigns affected organizations in multiple countries and highlight the increasing technical capabilities and operational resilience of Screening Serpens.

Recommendation

• Block the C2 domains listed in the IOC table at the DNS resolver to prevent communication with attacker infrastructure.
• Monitor process creation events for DLL sideloading activity, especially from unusual locations (e.g., user profiles) to identify potential MiniUpdate/MiniJunk infections. Deploy the Sigma rule Detects MiniUpdate RAT Deployment via DLL Sideloading to identify DLL sideloading.
• Enable enhanced .NET security logging to detect AppDomainManager hijacking attempts.
• Deploy the Sigma rule Detect Suspicious Azure Subdomain to detect use of azurewebsites domains that may be malicious.
• Implement robust email security controls and user awareness training to prevent successful spear-phishing attacks, especially those impersonating trusted brands and job opportunities.
• Monitor network connections for processes communicating with the listed URLs in the IOC table to identify potential malicious network activity.

]]>highthreatScreening SerpensAPTIranRATMiniUpdateMiniJunkDLL SideloadingAppDomainManagerCyberespionage