Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

What Happened

Hackers linked to Iran have been conducting cyberespionage campaigns using fake job offers and video meeting links to deliver malicious software. Technology professionals in the U.S., Israel, and the Middle East are primarily affected by these targeted attacks. This matters because the attackers use advanced methods to turn off a computer's built-in security monitoring, allowing them to steal sensitive data undetected. Organizations should train employees to be cautious of unsolicited job offers and verify the authenticity of meeting links before downloading any required software.

Key Takeaways

• Screening Serpens deployed two new RAT families (MiniUpdate and MiniJunk V2) between February and April 2026.
• The group utilizes highly tailored social engineering, including fake job requisitions and spoofed video conferencing links.
• Attackers evolved their tradecraft to include AppDomainManager hijacking, manipulating .NET configuration files to proactively disable ETW and strong name validation.
• Malware payloads are heavily obfuscated or padded (up to 12MB) and use decoy UIs to mask background execution.
• Persistence is consistently established via Scheduled Tasks, triggering renamed legitimate Microsoft binaries to sideload malicious DLLs.

Affected Systems

• Windows OS
• .NET Framework

Attack Chain

The attack begins with highly tailored spear-phishing lures containing malicious ZIP archives disguised as job portals or video conferencing installers. Upon execution of a legitimate setup binary within the archive, the malware leverages AppDomainManager hijacking via a crafted .NET configuration file to disable ETW and strong name validation. This allows a malicious loader DLL to execute, which drops secondary payloads and establishes persistence via a Scheduled Task. The scheduled task subsequently triggers another legitimate binary to sideload the final RAT payload (MiniUpdate or MiniJunk V2), which communicates with Azure-hosted C2 infrastructure to exfiltrate data and execute arbitrary commands.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Cortex XDR, Advanced WildFire

The article does not provide raw detection rules, but notes that Palo Alto Networks Cortex XDR and Advanced WildFire have been updated to detect and prevent these threats.

Detection Engineering Assessment

EDR Visibility: Medium — AppDomainManager hijacking explicitly disables ETW, blinding some EDR telemetry for .NET processes, though process creation, file drops, and scheduled task creation remain visible. Network Visibility: Medium — C2 traffic uses HTTPS to Azure-hosted domains, blending in with legitimate traffic, but specific endpoints like /api/app/check and chunked upload patterns can be monitored. Detection Difficulty: Hard — The use of legitimate signed binaries, disabled ETW, and heavily padded files (up to 12MB) makes static and behavioral detection challenging.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Scheduled Task Creation (Event ID 4698)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for legitimate Microsoft or third-party setup binaries executing from unusual directories like %LOCALAPPDATA% or AppData\Local\Packages.	Process Creation	Execution	Medium
Look for the creation of .config files containing <appDomainManagerType> and <etwEnable enabled="false"/> directives in user directories.	File Creation	Defense Evasion	Low
Monitor for scheduled tasks created with names like 'WindowsSecurityUpdate' or 'Synchronize OS' that execute binaries from user AppData folders.	Scheduled Task Creation	Persistence	Low

Control Gaps

• EDR reliance on ETW for .NET visibility
• File size limits in automated sandboxes (bypassed by 12MB padding)

Key Behavioral Indicators

• Presence of <etwEnable enabled="false"/> in application .config files
• Legitimate binaries loading unsigned DLLs from the same directory
• Decoy UI windows with no taskbar entry

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Search endpoint telemetry for the provided hashes, C2 domains, and specific filenames like InitInstall.dll or uevmonitor.dll.

Infrastructure Hardening

• Evaluate whether application control policies (e.g., AppLocker, WDAC) can be configured to block execution of unsigned DLLs even when loaded by signed executables.
• Consider restricting the execution of binaries from %LOCALAPPDATA% where feasible.

User Protection

• If your EDR supports it, ensure behavioral rules are active to detect anomalous scheduled task creation.
• Consider deploying network filtering to block access to newly registered or uncategorized Azure subdomains if not required for business.

Security Awareness

• Train employees to scrutinize unsolicited job offers and recruitment links, especially those requiring the download of offline portals or archives.
• Educate users on verifying the authenticity of video conferencing software updates and meeting links.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1566.002 - Phishing: Spearphishing Link
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1574.014 - Hijack Execution Flow: AppDomainManager
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1027 - Obfuscated Files or Information

Additional IOCs

• Domains:
  • docspace-y4cumb[.]onlyoffice[.]com - ONLYOFFICE DocSpace domain hosting malicious archives
  • NanoMatrix[.]azurewebsites[.]net - C2 domain used by MiniJunk V2
  • QuantumWeave[.]azurewebsites[.]net - C2 domain used by MiniJunk V2
  • ElementShift[.]azurewebsites[.]net - C2 domain used by MiniJunk V2
  • business-startup[.]org - C2 domain associated with Screening Serpens
  • business-startup[.]azurewebsites[.]net - C2 domain associated with Screening Serpens
  • Businessstartup[.]azurewebsites[.]net - C2 domain associated with Screening Serpens
  • app[redacted][.]live - Lookalike domain used for phishing landing page
  • buisness-centeral-transportation[.]azurewebsites[.]net - C2 domain used by MiniUpdate
  • Buisness-centeral-transportation[.]com - C2 domain used by MiniUpdate
  • docspace-twpf0e[.]onlyoffice[.]com - ONLYOFFICE DocSpace domain hosting malicious archives
  • PremierHealthAdvisory[.]com - C2 domain used by MiniUpdate (UAE campaign)
  • PremierHealthAdvisory[.]azurewebsites[.]net - C2 domain used by MiniUpdate (UAE campaign)
  • Premier-HealthAdvisory[.]azurewebsites[.]net - C2 domain used by MiniUpdate (UAE campaign)
  • Ramiltonsfinance[.]com - C2 domain used by MiniUpdate (Middle Eastern campaign)
  • Ramiltonsfinance[.]azurewebsites[.]neti - C2 domain used by MiniUpdate (Middle Eastern campaign)
  • Ramiltons-finance[.]azurewebsites[.]net - C2 domain used by MiniUpdate (Middle Eastern campaign)
  • LicenceSupporting[.]azurewebsites[.]net - C2 domain used by MiniJunk V2
  • PeerDistSvcManagers[.]azurewebsites[.]net - C2 domain used by MiniJunk V2
  • ThemesManagers[.]azurewebsites[.]net - C2 domain used by MiniJunk V2
  • ThemesProviderManagers[.]azurewebsites[.]net - C2 domain used by MiniJunk V2
• Urls:
  • hxxps://docspace-y4cumb[.]onlyoffice[.]com/storage/files/root/folder_3602000/file_3601577/v1/content.zip[...] - URL hosting the Portable platform.zip malicious archive
  • hxxps://app[redacted][.]live/meeting/edcdba624ddb43c2a1dcf334aa493068 - Phishing landing page mimicking a meeting invitation
  • hxxps://docspace-twpf0e[.]onlyoffice[.]com/storage/files/root/folder_3765000/file_3764519/v1/content.zip?filename=remote.[REDACTED].zip - URL hosting a malicious archive
  • hxxps://2117[.]filemail[.]com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm - Payload delivery URL triggered from the phishing page
• File Hashes:
  • 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 (SHA256) - Initial archive file (MiniUpdate US Campaign)
  • 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 (SHA256) - Hiring Portal.zip (MiniUpdate US Campaign)
  • 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d (SHA256) - Initial archive file (MiniUpdate Israel Campaign)
  • d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 (SHA256) - UpdateChecker.dll (MiniUpdate Israel Campaign)
  • bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad (SHA256) - UpdateChecker.dll (MiniUpdate UAE Campaign)
  • 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 (SHA256) - MiniUpdate Middle Eastern Campaign artifact
  • 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 (SHA256) - uevmonitor.dll (MiniJunk V2 Middle Eastern Campaign)
  • 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b (SHA256) - Portable Platform.zip (MiniJunk V2 U.S. Campaign)
  • 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa (SHA256) - Connection.dll (MiniJunk V2 U.S. Campaign)
  • 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 (SHA256) - unbcl.dll (MiniJunk V2 U.S. Campaign)
• File Paths:
  • %LOCALAPPDATA%\bin\update\ - Hidden installation path created by MiniUpdate loader
  • C:\Users\*\AppData\Local\Packages\unbcl.dll - Path where the malicious unbcl.dll is dropped
• Command Lines:
  • Purpose: Arbitrary command execution via shell | Tools: cmd.exe | Stage: Execution | cmd.exe /c