{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/miniupdate/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Screening Serpens"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MiniUpdate","MiniJunk","Windows"],"_cs_severities":["high"],"_cs_tags":["Screening Serpens","APT","Iran","RAT","MiniUpdate","MiniJunk","DLL Sideloading","AppDomainManager","Cyberespionage"],"_cs_type":"threat","_cs_vendors":["Microsoft","Azure"],"content_html":"\u003cp\u003eUnit 42 researchers observed cyberattacks by Screening Serpens, an Iran-nexus APT group, targeting entities in the U.S., Israel, and the UAE, as well as two additional Middle Eastern entities, between February and April 2026. The group deployed six new remote access Trojan (RAT) variants, categorized into the MiniUpdate and MiniJunk V2 malware families. Screening Serpens primarily targets technology sector professionals, using tailored social engineering lures that impersonate trusted brands and hiring platforms. The most critical evolution in the group’s recent campaign uses a technique called AppDomainManager hijacking. These campaigns align closely with the regional conflict that started in the Middle East on Feb. 28, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attack begins with highly tailored spear-phishing emails impersonating trusted brands and hiring platforms, specifically targeting technical personnel. These emails contain a ZIP archive (e.g., initial archive file 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250), often mimicking legitimate corporate job applications by including specific job IDs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery:\u003c/strong\u003e The ZIP archive contains a nested payload archive (e.g., Hiring Portal.zip hash 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17) packaged alongside PDF documents. These PDFs are crafted job requisitions targeting high-level IT and engineering roles.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The target is tricked into extracting the nested archive, believing they are accessing an application portal or a technical assessment. DLL sideloading is used for execution within the extracted files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAppDomainManager Hijacking:\u003c/strong\u003e The attackers employ AppDomainManager hijacking. This technique manipulates the initialization phase of .NET applications to proactively disable the application’s own security mechanisms via a legitimate configuration file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Deployment:\u003c/strong\u003e The disabled security in these apps leaves the targeted entities vulnerable to the deployed multi-functional RATs (MiniUpdate or MiniJunk V2). For example, UpdateChecker.dll (0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864) is deployed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The RAT establishes command and control (C2) communication with attacker-controlled infrastructure (e.g., themesmanangers.azurewebsites[.]net) over HTTP/HTTPS.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The RAT exfiltrates sensitive information from the compromised system. The MiniUpdate variant, in particular, has the ability to exfiltrate files in chunks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEspionage:\u003c/strong\u003e The attacker gains access to sensitive information, enabling cyberespionage aligned with Iranian intelligence objectives, particularly targeting aerospace, defense manufacturing, and telecommunications organizations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eScreening Serpens\u0026rsquo; campaigns targeted entities in the U.S., Israel, and the UAE, as well as two additional Middle Eastern entities, potentially compromising sensitive data and intellectual property. The targeted sectors include aerospace, defense manufacturing, and telecommunications. If successful, these attacks can lead to significant financial losses, reputational damage, and the compromise of national security interests. The campaigns affected organizations in multiple countries and highlight the increasing technical capabilities and operational resilience of Screening Serpens.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the C2 domains listed in the IOC table at the DNS resolver to prevent communication with attacker infrastructure.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for DLL sideloading activity, especially from unusual locations (e.g., user profiles) to identify potential MiniUpdate/MiniJunk infections. Deploy the Sigma rule \u003ccode\u003eDetects MiniUpdate RAT Deployment via DLL Sideloading\u003c/code\u003e to identify DLL sideloading.\u003c/li\u003e\n\u003cli\u003eEnable enhanced .NET security logging to detect AppDomainManager hijacking attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Azure Subdomain\u003c/code\u003e to detect use of azurewebsites domains that may be malicious.\u003c/li\u003e\n\u003cli\u003eImplement robust email security controls and user awareness training to prevent successful spear-phishing attacks, especially those impersonating trusted brands and job opportunities.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for processes communicating with the listed URLs in the IOC table to identify potential malicious network activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-22T13:09:06Z","date_published":"2026-05-22T13:09:06Z","id":"https://feed.craftedsignal.io/briefs/2026-05-screening-serpens/","summary":"The Iranian APT group Screening Serpens targeted the tech and defense sectors in the U.S., Israel, and the UAE between February and April 2026, deploying six new RAT variants from the MiniUpdate and MiniJunk V2 malware families, using tailored social engineering lures and AppDomainManager hijacking.","title":"Screening Serpens APT Targets Tech and Defense Sectors with New RATs","url":"https://feed.craftedsignal.io/briefs/2026-05-screening-serpens/"}],"language":"en","title":"CraftedSignal Threat Feed — MiniUpdate","version":"https://jsonfeed.org/version/1.1"}