Turning Off the Cameras: How an Iran-Linked APT is Silencing .NET Telemetry Before It Starts

The threat landscape is shifting from simple payload delivery to sophisticated runtime manipulation. Recent intelligence highlights a significant escalation in tradecraft by Screening Serpens (also known as UNC1549 or Smoke Sandstorm), an Iran-nexus advanced persistent threat (APT) group. Instead of attempting to bypass security tools through brute-force methods, the group is now weaponizing the legitimate startup logic of the .NET framework to dismantle defensive telemetry before it can even begin recording.

By utilizing AppDomainManager hijacking, these actors are effectively turning off the “security cameras” (telemetry) of an endpoint, allowing malicious code to execute in a blind spot created within the application’s own lifecycle.

Timeline of Screening Serpens documented activity
Timeline of Screening Serpens documented activity (Source: Unit 42).

According to a detailed report by Unit 42, the campaign relies on a multi-stage execution chain involving highly tailored social engineering, DLL sideloading, and staged Remote Access Trojans (RATs).

The Technical Mechanics: Hijacking the Startup Process

The attack begins with a precision-engineered social engineering phase. Attackers pose as recruiters or job portals, utilizing legitimate-looking job IDs to entice victims into downloading “Hiring Portal” archives. Once a user executes the trusted binary within the archive, the actual exploitation begins.

The crux of this evasion technique lies in the use of a weaponized configuration file (e.g., update.exe.config). By manipulating the .NET configuration, the attackers hijack the AppDomainManager. This allows them to inject attacker-controlled code during the initial assembly loading process.

Why this is devastating for defenders: This hijack occurs during the application’s initialization phase—pre-execution of the primary malicious logic. In the observed samples, the malicious configuration is used to:

  • Disable Event Tracing for Windows (ETW): ETW is the primary telemetry source used by modern Endpoint Detection and Response (EDR) tools to monitor .NET behavior.
  • Bypass Strong-Name Validation: This prevents the runtime from verifying the authenticity of the loaded assemblies.
  • Block Assembly Redirection: This limits the ability of security tools to intercept and inspect redirected code execution.

By utilizing legitimate .NET configuration settings to disable these features, the attackers avoid “noisy” behaviors like memory patching or API hooking, which are frequently flagged by behavioral analysis engines.

Contents of Hiring Portal.zip
Contents of Hiring Portal.zip (Source: Unit 42).

Post-Exploitation and Persistence

Once the environment is silenced, the loader drops secondary payloads into the user’s AppData directory and establishes persistence via scheduled tasks. To maintain a veneer of legitimacy, the malware often displays a fake installer window, tricking the user into believing a standard software update is occurring while the second stage initializes in the background.

The final payload is a highly capable, multi-functional RAT designed for stealthy command-and-control (C2). It features:

  • Chunked file uploading to evade network traffic inspection.
  • The ability to manipulate local processes and execute arbitrary commands.
  • Use of rotating Azure-hosted domains and legitimate browser User-Agents to blend into standard web traffic.
MiniUpdate malware flow
MiniUpdate malware flow (Source: Unit 42).

Defensive Recommendations

This campaign marks a clear transition from traditional malware delivery to a pre-execution defense evasion model. Defenders can no longer rely solely on signature-based detection; the focus must shift to runtime integrity and configuration monitoring.

Security teams should prioritize the following:

  • Monitor Configuration Changes: Alert on unexpected modifications to .config files, particularly those targeting .NET runtime settings.
  • Audit AppDomain Settings: Watch for unusual AppDomainManager declarations in application manifests.
  • Detect Suspicious Loading: Monitor for trusted executables loading unexpected assemblies from user-writable paths (e.g., %AppData%).
  • Behavioral Hunting: Hunt for processes that attempt to disable ETW providers or show signs of “silent” startup.

Indicators of Compromise (IoCs)

Note: All domains and URLs have been defanged for safety. Re-fang only within secure, controlled environments (e.g., SIEM, MISP).

Domains

# Domain
1 licencemanagers.azurewebsites[.]net
2 LicenceSupporting.azurewebsites[.]net
3 PeerDistSvcManagers.azurewebsites[.]net
4 ThemesManagers.azurewebsites[.]net
5 ThemesProviderManagers.azurewebsites[.]net
6 docspace-y4cumb.onlyoffice[.]com
7 NanoMatrix.azurewebsites[.]net
8 QuantumWeave.azurewebsites[.]net
9 ElementShift.azurewebsites[.]net
10 business-startup[.]org
11 business-startup.azurewebsites[.]net
12 Businessstartup.azurewebsites[.]net
13 app[redacted][.]live
14 buisness-centeral.azurewebsites[.]net
15 buisness-centeral-transportation.azurewebsites[.]net
16 Buisness-centeral-transportation[.]com
17 docspace-twpf0e.onlyoffice[.]com
18 PremierHealthAdvisory[.]com
19 PremierHealthAdvisory.azurewebsites[.]net
20 Premier-HealthAdvisory.azurewebsites[.]net
21 Ramiltonsfinance[.]com
22 Ramiltonsfinance.azurewebsites[.]neti
23 Ramiltons-finance.azurewebsites[.]net

URLs

# URL
1 hxxps[:]//docspace-y4cumb.onlyoffice[.]com/storage/files/root/folder_3602000/file_3601577/v1/content.zip[…]
2 hxxps[:]//app[redacted][.]live/meeting/edcdba624ddb43c2a1dcf334aa493068
3 hxxps[:]//docspace-twpf0e.onlyoffice[.]com/storage/files/root/folder_3765000/file_3764519/v1/content.zip?filename=remote.[REDACTED].zip
4 hxxps[:]//2117.filemail[.]com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm

Related Articles

Back to top button