Escalation in Iranian Espionage: Analyzing the MiniUpdate and MiniJunk V2 Malware Families

A sophisticated espionage campaign attributed to the Iran-nexus advanced persistent threat (APT) group known as Screening Serpens (also tracked as UNC1549 or Smoke Sandstorm) has been identified targeting high-value entities in the United States, Israel, and the United Arab Emirates. Recent intelligence indicates a significant leap in the group’s technical sophistication, characterized by the deployment of a newly discovered Remote Access Trojan (RAT) family dubbed MiniUpdate.

While Screening Serpens has maintained a presence since at least 2022, their operational tempo spiked significantly during March and April 2026. Evidence of this surge is visible in recent VirusTotal uploads originating from multiple Middle Eastern and Western organizations. The group’s current toolkit consists of six distinct variants split into two primary malware families: the novel MiniUpdate and an evolved iteration of the previously documented MiniJunk V2 backdoor.

Both families utilize a consistent infection architecture: initial access via highly targeted spear-phishing followed by DLL sideloading for execution. To bolster operational resilience and prevent cross-contamination between victims, the actors employ a modular Command and Control (C2) design, dedicating unique sets of three to five Azure-hosted domains to each specific target.

Social Engineering and Delivery Vectors

The MiniUpdate malware derives its name from an internal component, UpdateChecker.dll. Delivery methods vary by target geography:

  • United States: Attackers utilized archive files masquerading as a global air carrier. These lures contained fake PDF job requisitions for senior IT and engineering positions, utilizing realistic job IDs to compel technical staff to extract a malicious Hiring Portal.zip payload.
  • Israel: The group mimicked a widely used video conferencing platform. Victims were directed to a fraudulent landing page that initiated a malicious download from a third-party file-sharing service under the guise of joining a meeting.

According to a Unit 42 report, the deployment of these six new RAT variants closely mirrors the onset of regional conflict in the Middle East in late February 2026.

In more recent April 2026 campaigns against the UAE, the actors demonstrated advanced domain impersonation, rotating C2 infrastructure to mimic the health and finance sectors using domains such as PremierHealthAdvisory.azurewebsites[.]net and Ramiltonsfinance.azurewebsites[.]net. By leveraging legitimate Azure cloud infrastructure, the attackers successfully blend their malicious traffic with standard enterprise cloud noise, complicating network-level detection.

Timeline of Screening Serpens documented activity
Timeline of Screening Serpens documented activity (Source: Unit42).

Technical Deep Dive: MiniUpdate and AppDomainManager Hijacking

The most notable technical evolution in the MiniUpdate family is the implementation of AppDomainManager hijacking. This is a specialized .NET-based technique where the attacker manipulates the application’s configuration file to intercept the initialization of the .NET Common Language Runtime (CLR).

Contents of the zip archive
Contents of the malicious zip archive (Source: Unit42).

By injecting specific XML directives into setup.exe.config, the malware forces the CLR to disable its own internal security telemetry before the host application even executes. This “living-off-the-land” approach allows the InitInstall.dll payload to run in a highly privileged, unmonitored context. Critical evasion directives include:

  • <etwenable enabled="false"/>: Disables Event Tracing for Windows (ETW), effectively blinding modern EDR solutions.
  • <bypasstrustedappstrongnames enabled="true"/>: Bypasses strong-name signature validation.
  • Disabling of publisher policy redirections.
Contents of setup.exe.config
Configuration directives within setup.exe.config (Source: Unit42).

Following the initial hijack, the execution chain proceeds in stages. The first stage establishes persistence via a Windows Task Scheduler entry (configured for 09:30 local time) and drops four files into a hidden AppData directory. The second stage performs environmental “sanity checks,” verifying that the process is running under svchost.exe; if the malware detects a sandbox or debugger, it terminates silently to avoid analysis.

The final payload communicates with three Azure C2 servers using GET requests to a /agent/poll endpoint, processing commands via Base64-decoded binary structures. While the March variants supported 16 opcodes (including UAC escalation and file exfiltration), April variants expanded this to 18, adding chunked file upload capabilities for stealthier data theft.

Interestingly, Unit 42 noted an OPSEC weakness: MiniUpdate stores C2 domains and API names in plaintext within the .rdata section, suggesting a possible rushed deployment or a lack of coordination between development cells.

MiniJunk V2: Obfuscation and Sandbox Evasion

The secondary malware family, MiniJunk V2, employs a different defensive strategy. While it shares the same DLL sideloading infection chain, it utilizes heavy Mixed Boolean-Arithmetic (MBA) and XOR obfuscation. To bypass automated sandbox analysis that relies on file-size triggers, the attackers have inflated the binary sizes to approximately 12 MB.

MiniJunk V2 uses C2 domains that mimic legitimate Windows services (e.g., licencemanagers.azurewebsites[.]net) and employs a spoofed Microsoft Edge User-Agent to mask its traffic. Some variants also include a “time bomb” mechanism—a hard-coded date-based validity check that prevents execution before a specific UTC timestamp to evade pre-deployment security screenings.

Defensive Recommendations

Defenders should shift from signature-based detection toward behavioral analysis. Specifically, EDR/XDR platforms should be tuned to alert on:

  • AppDomainManager hijacking and suspicious XML modifications to .config files.
  • DLL sideloading where trusted, signed binaries load unexpected or unsigned modules.
  • Anomalous outbound traffic to Azure-hosted subdomains that impersonate industry-specific organizations.

Organizations in the aerospace, defense, telecommunications, and technology sectors should remain on high alert, as Screening Serpens’ activity indicates a sustained and adaptive campaign.

Indicators of Compromise (IoCs)

Domains URLs
licencemanagers.azurewebsites[.]net hxxps[:]//docspace-y4cumb.onlyoffice[.]com/storage/files/root/folder_3602000/file_3601577/v1/content.zip[…]
LicenceSupporting.azurewebsites[.]net hxxps[:]//app[redacted][.]live/meeting/edcdba624ddb43c2a1dcf334aa493068
PeerDistSvcManagers.azurewebsites[.]net hxxps[:]//docspace-twpf0e.onlyoffice[.]com/storage/files/root/folder_3765000/file_3764519/v1/content.zip?filename=remote.[REDACTED].zip
ThemesManagers.azurewebsites[.]net hxxps[:]//2117.filemail[.]com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm
ThemesProviderManagers.azurewebsites[.]net
docspace-y4cumb.onlyoffice[.]com
NanoMatrix.azurewebsites[.]net
QuantumWeave.azurewebsites[.]net
ElementShift.azurewebsites[.]net
business-startup[.]org
PremierHealthAdvisory.azurewebsites[.]net
Ramiltonsfinance.azurewebsites[.]neti

Note: Domains and IPs are defanged (e.g., [.]) for safety. Re-fang only within secure threat intelligence platforms like MISP or your SIEM.

Related Articles

Back to top button