{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/minijunk/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Nimbus Manticore"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Setup.exe","OnlyOffice","Zoom Installer","MiniJunk"],"_cs_severities":["high"],"_cs_tags":["nimbus-manticore","irgc","appdomain-hijacking","seo-poisoning","minijunk","minifast","infostealer"],"_cs_type":"threat","_cs_vendors":["Microsoft","OnlyOffice","Accenture","Zoom"],"content_html":"\u003cp\u003eNimbus Manticore (UNC1549), an Iranian IRGC-affiliated threat actor, resurfaced during Operation Epic Fury in February 2026, targeting the defense, aviation, and telecommunication sectors. The actor employed new techniques, including AppDomain Hijacking, AI-assisted malware development for its MiniFast backdoor, and SEO poisoning, demonstrating enhanced capabilities. The campaign used phishing lures impersonating organizations in the aviation and software sectors across the United States, Europe, and the Middle East. The actor also abused a Zoom installer\u0026rsquo;s execution flow to stage a time-sensitive infection chain, blending malicious activity with legitimate system processes. This resurgence indicates the actor\u0026rsquo;s rapid adaptation and operational availability during periods of geopolitical tension.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Spear-phishing emails are sent to employees in the aviation and software sectors with fake career opportunities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLure Delivery:\u003c/strong\u003e Victims are directed to download a ZIP archive hosted on platforms like OnlyOffice.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAppDomain Hijacking:\u003c/strong\u003e The ZIP file contains a benign \u003ccode\u003eSetup.exe\u003c/code\u003e, a malicious \u003ccode\u003eSetup.exe.config\u003c/code\u003e file that hijacks the application domain, \u003ccode\u003euevmonitor.dll\u003c/code\u003e (first-stage dropper), and a benign \u003ccode\u003eInterop.TaskScheduler.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFirst Stage Execution:\u003c/strong\u003e Executing \u003ccode\u003eSetup.exe\u003c/code\u003e loads \u003ccode\u003euevmonitor.dll\u003c/code\u003e, which extracts and deploys the next-stage payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMiniJunk Deployment:\u003c/strong\u003e The dropper writes files into \u003ccode\u003eC:\\Users\\\u0026lt;USER\u0026gt;\\AppData\\Local\\Packages\\\u003c/code\u003e, including a legitimate executable for DLL sideloading and a malicious DLL identified as a new version of the MiniJunk backdoor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eZoom Installer Abuse:\u003c/strong\u003e A malicious DLL is sideloaded into a legitimate Zoom installer to execute code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMiniFast Backdoor Installation:\u003c/strong\u003e The new MiniFast backdoor is installed, providing remote access and control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence and Data Exfiltration:\u003c/strong\u003e The MiniFast backdoor establishes persistence and begins exfiltrating data from the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Nimbus Manticore campaign targeted organizations in the aviation and software sectors across the United States, Europe, and the Middle East. Successful exploitation leads to the installation of the MiniFast backdoor, enabling data exfiltration and potential disruption of operations. This can compromise sensitive information, intellectual property, and critical infrastructure within the targeted sectors. The actor\u0026rsquo;s enhanced capabilities, including AI-assisted malware development, allow for rapid adaptation and increased operational effectiveness during periods of conflict.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eSetup.exe\u003c/code\u003e loading DLLs from unusual locations, specifically \u003ccode\u003euevmonitor.dll\u003c/code\u003e, to detect AppDomain Hijacking (see Sigma rule \u003ccode\u003eDetect AppDomain Hijacking via Setup.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring for connections to known malicious domains associated with Nimbus Manticore, such as those listed in the referenced Checkpoint report.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon logging for process creation and file creation events to capture the full attack chain, including the execution of \u003ccode\u003eSetup.exe\u003c/code\u003e and the creation of files in the \u003ccode\u003eC:\\Users\\\u0026lt;USER\u0026gt;\\AppData\\Local\\Packages\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect MiniJunk File Creation\u003c/code\u003e to identify files written to the user\u0026rsquo;s AppData\\Local\\Packages directory, which is indicative of MiniJunk deployment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-22T15:18:05Z","date_published":"2026-05-22T15:18:05Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nimbus-manticore/","summary":"Nimbus Manticore, an Iranian IRGC-affiliated threat actor, resurfaced during Operation Epic Fury, employing AppDomain Hijacking, SEO poisoning, and a new MiniFast backdoor while targeting the aviation and software sectors.","title":"Nimbus Manticore Resurfaces During Operation Epic Fury with New Techniques","url":"https://feed.craftedsignal.io/briefs/2026-05-nimbus-manticore/"},{"_cs_actors":["Screening Serpens"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MiniUpdate","MiniJunk","Windows"],"_cs_severities":["high"],"_cs_tags":["Screening Serpens","APT","Iran","RAT","MiniUpdate","MiniJunk","DLL Sideloading","AppDomainManager","Cyberespionage"],"_cs_type":"threat","_cs_vendors":["Microsoft","Azure"],"content_html":"\u003cp\u003eUnit 42 researchers observed cyberattacks by Screening Serpens, an Iran-nexus APT group, targeting entities in the U.S., Israel, and the UAE, as well as two additional Middle Eastern entities, between February and April 2026. The group deployed six new remote access Trojan (RAT) variants, categorized into the MiniUpdate and MiniJunk V2 malware families. Screening Serpens primarily targets technology sector professionals, using tailored social engineering lures that impersonate trusted brands and hiring platforms. The most critical evolution in the group’s recent campaign uses a technique called AppDomainManager hijacking. These campaigns align closely with the regional conflict that started in the Middle East on Feb. 28, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attack begins with highly tailored spear-phishing emails impersonating trusted brands and hiring platforms, specifically targeting technical personnel. These emails contain a ZIP archive (e.g., initial archive file 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250), often mimicking legitimate corporate job applications by including specific job IDs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery:\u003c/strong\u003e The ZIP archive contains a nested payload archive (e.g., Hiring Portal.zip hash 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17) packaged alongside PDF documents. These PDFs are crafted job requisitions targeting high-level IT and engineering roles.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The target is tricked into extracting the nested archive, believing they are accessing an application portal or a technical assessment. DLL sideloading is used for execution within the extracted files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAppDomainManager Hijacking:\u003c/strong\u003e The attackers employ AppDomainManager hijacking. This technique manipulates the initialization phase of .NET applications to proactively disable the application’s own security mechanisms via a legitimate configuration file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Deployment:\u003c/strong\u003e The disabled security in these apps leaves the targeted entities vulnerable to the deployed multi-functional RATs (MiniUpdate or MiniJunk V2). For example, UpdateChecker.dll (0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864) is deployed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The RAT establishes command and control (C2) communication with attacker-controlled infrastructure (e.g., themesmanangers.azurewebsites[.]net) over HTTP/HTTPS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The RAT exfiltrates sensitive information from the compromised system. The MiniUpdate variant, in particular, has the ability to exfiltrate files in chunks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEspionage:\u003c/strong\u003e The attacker gains access to sensitive information, enabling cyberespionage aligned with Iranian intelligence objectives, particularly targeting aerospace, defense manufacturing, and telecommunications organizations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eScreening Serpens\u0026rsquo; campaigns targeted entities in the U.S., Israel, and the UAE, as well as two additional Middle Eastern entities, potentially compromising sensitive data and intellectual property. The targeted sectors include aerospace, defense manufacturing, and telecommunications. If successful, these attacks can lead to significant financial losses, reputational damage, and the compromise of national security interests. The campaigns affected organizations in multiple countries and highlight the increasing technical capabilities and operational resilience of Screening Serpens.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the C2 domains listed in the IOC table at the DNS resolver to prevent communication with attacker infrastructure.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for DLL sideloading activity, especially from unusual locations (e.g., user profiles) to identify potential MiniUpdate/MiniJunk infections. Deploy the Sigma rule \u003ccode\u003eDetects MiniUpdate RAT Deployment via DLL Sideloading\u003c/code\u003e to identify DLL sideloading.\u003c/li\u003e\n\u003cli\u003eEnable enhanced .NET security logging to detect AppDomainManager hijacking attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Azure Subdomain\u003c/code\u003e to detect use of azurewebsites domains that may be malicious.\u003c/li\u003e\n\u003cli\u003eImplement robust email security controls and user awareness training to prevent successful spear-phishing attacks, especially those impersonating trusted brands and job opportunities.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for processes communicating with the listed URLs in the IOC table to identify potential malicious network activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-22T13:09:06Z","date_published":"2026-05-22T13:09:06Z","id":"https://feed.craftedsignal.io/briefs/2026-05-screening-serpens/","summary":"The Iranian APT group Screening Serpens targeted the tech and defense sectors in the U.S., Israel, and the UAE between February and April 2026, deploying six new RAT variants from the MiniUpdate and MiniJunk V2 malware families, using tailored social engineering lures and AppDomainManager hijacking.","title":"Screening Serpens APT Targets Tech and Defense Sectors with New RATs","url":"https://feed.craftedsignal.io/briefs/2026-05-screening-serpens/"}],"language":"en","title":"CraftedSignal Threat Feed — MiniJunk","version":"https://jsonfeed.org/version/1.1"}