INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Iranian APT Screening Serpens Espionage Campaigns

| 2026-05-22 13:00 MEDIUM MEDIUM
JSON
Executive Summary AI-generated
The Iran-nexus advanced persistent threat group, Screening Serpens, has been detected in recent months with a persistent threat profile. This cyberespionage group is aligned with Iranian intelligence objectives and has targeted entities across the US, Israel, and two additional Middle Eastern countries. The group's tactics include rotating C2 domains to impersonate health sector or financial entity targets, utilizing 18 distinct opcodes on command dispatchers in its April variants. Screening Serpens remains active, posing a threat with ongoing tracking efforts by Unit 42 researchers.
Technical Mitigations AI-generated
• Implement a robust security awareness training program for employees to educate them on the importance of social engineering attacks and how to identify suspicious emails or messages. • Conduct regular software updates and patches to ensure that all systems, networks, and applications are up-to-date with the latest security fixes and vulnerabilities. • Utilize advanced threat detection tools and technologies, such as machine learning-based solutions, to detect and respond to emerging threats in real-time.
Technical Observables
38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d
B19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
themesprovidermanagers.azurewebsites
updateconfig.xml
2117.filemail
licencemanagers.azurewebsites
themesmanagers.azurewebsites
premierhealthadvisory.azurewebsites
businessstartup.azurewebsites
setup.exe.config
ramiltons-finance.azurewebsites
quantumweave.azurewebsites
elementshift.azurewebsites
buisness-centeral-transportation.azurewebsites
business-startup.azurewebsites
nanomatrix.azurewebsites
ramiltonsfinance.azurewebsites
licencesupporting.azurewebsites
update.exe.config
buisness-centeral.azurewebsites
docspace-y4cumb.onlyoffice
peerdistsvcmanagers.azurewebsites
docspace-twpf0e.onlyoffice
premier-healthadvisory.azurewebsites
svchost.exe
Platform.zip
SystemtUpdateTaskMachine.exe
Setup.exe
uevmonitor.dll
unbcl.dll
Portal.zip
SoftwareLicencing.exe
update.exe
UpdateChecker.dll
Updater.dll
InitInstall.dll
setup.exe
Unbcl.dll
Connection.dll
JR205894.pdf
cmd.exe
platform.zip
content.zip
144.0.0.0
146.0.0.0
edcdba624ddb43c2a1dcf334aa493068
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign WhileCampaign WhileCampaign ThisCampaign ThisCampaign AttackersCampaign Attackers
Target & Sectors
NORTH_AMERICA NORTH_AMERICA MIDDLE_EAST MIDDLE_EAST EUROPE EUROPE defensedefense telecommunicationstelecommunications healthhealth aerospaceaerospace manufacturingmanufacturing technologytechnology
Incident Timeline
‎April 15 and 17, 2026
Threat actors used VirusTotal to target Israel and the United Arab Emirates in espionage campaigns against Iranian Advanced Persistent Threats.
target_region Israel
VirusTotal metadata indicates that the campaigns may have targeted entities in the U.S. and Israel on March 26, 2026, and most recently, the UAE and another Middle Eastern entity on April 15 and 17, 2026, respectively.
target_region United Arab Emirates
VirusTotal metadata indicates that the campaigns may have targeted entities in the U.S. and Israel on March 26, 2026, and most recently, the UAE and another Middle Eastern entity on April 15 and 17, 2026, respectively.
‎late 2025
The Screening Serpens APT group began preparing for its 2026 espionage campaigns in late 2025.
target_region MIDDLE_EAST
While historically focused on regional targets in the Middle East, the group gained industry attention in late 2025 when Check Point Research detailed its strategic expansion into Western Europe .
target_region EUROPE
While historically focused on regional targets in the Middle East, the group gained industry attention in late 2025 when Check Point Research detailed its strategic expansion into Western Europe .
Timeline of Recent Cyber Activity Here is the timeline of events in the recent Screening Serpens campaign: In late 2025, Screening Serpens expanded to targets in Western Europe.
organisation Check Point Research
While historically focused on regional targets in the Middle East, the group gained industry attention in late 2025 when Check Point Research detailed its strategic expansion into Western Europe .
‎Feb. 17, 2026
Threat actors used MiniJunk V2 to target a professional working in the technology sector in February's Middle Eastern conflict.
industry Technology
MiniJunk V2: February Middle Eastern Campaign On Feb. 17, 2026, we identified evidence of a spear-phishing campaign targeting a professional working in the technology sector, based in a Middle Eastern country.
tactic Phishing
MiniJunk V2: February Middle Eastern Campaign On Feb. 17, 2026, we identified evidence of a spear-phishing campaign targeting a professional working in the technology sector, based in a Middle Eastern country.
organisation February Middle Eastern Campaign
MiniJunk V2: February Middle Eastern Campaign On Feb. 17, 2026, we identified evidence of a spear-phishing campaign targeting a professional working in the technology sector, based in a Middle Eastern country.
target_region MIDDLE_EAST
On Feb. 17, 2026, a MiniJunk V2 sample appearing to target an entity in the Middle East surfaced shortly before the regional conflict.
‎Feb. 17
The MiniJunk V2 family samples were uploaded on February 17 and March 27.
‎Feb. 28, 2026
Threat actors used Serens to target MIDDLE_EAST on Feb. 28, 2026, aligning closely with the regional conflict that started in the Middle East.
target_region MIDDLE_EAST
The timing of these campaigns aligns closely with that of the regional conflict that started in the Middle East on Feb. 28, 2026.
‎February 2026
Threat actors used advanced AppDomainManager hijacking to establish persistence and maintain full operational control over the exfiltration of sensitive data in Iranian APT Screening Serpens' 2026 espionage campaigns.
‎March 26, 2026
The attackers delivered the MiniUpdate malware variant via an archive file, impersonating a popular video conferencing platform.
target_region Israel
VirusTotal metadata indicates that the campaigns may have targeted entities in the U.S. and Israel on March 26, 2026, and most recently, the UAE and another Middle Eastern entity on April 15 and 17, 2026, respectively.
target_region United Arab Emirates
VirusTotal metadata indicates that the campaigns may have targeted entities in the U.S. and Israel on March 26, 2026, and most recently, the UAE and another Middle Eastern entity on April 15 and 17, 2026, respectively.
organisation ZIP
The ZIP contains a nested payload archive ( Hiring Portal.zip ) packaged alongside six PDF documents.
organisation PDF
The ZIP contains a nested payload archive ( Hiring Portal.zip ) packaged alongside six PDF documents.
organisation Initial Delivery and Targeted Recruitment Lures
Initial Delivery and Targeted Recruitment Lures An analysis of the archive's contents reveals a tailored social engineering trap aimed specifically at technical personnel.
‎no earlier than March 26, 2026
Threat actors deployed Iranian APT Screening Serpens malware no earlier than March 26, 2026.
‎March 27, 2026
The threat actor used the uevmonitor.dll assembly to initiate infection in a legitimate Setup.exe host process.
observable Platform.zip
First submitted to VirusTotal on March 27, 2026, the malware is delivered within an archive named Portable platform.zip .
Contents of Portable Platform.zip .
observable Connection.dll
When the Connection.dll RAT runs, it follows a strict execution sequence: It performs a hard-coded date-based validity check to ensure that the RAT runs on any date that is after March 27, 2026, 13:30:00 UTC.
The execution flow leverages the legitimate Setup.exe , which subsequently loads two malicious components: Unbcl.dll : a social-engineering decoy Connection.dll : the primary payload, a RAT The execution of Unbcl.dll creates a background thread displaying a GUI to the target.
organisation UTC
When the Connection.dll RAT runs, it follows a strict execution sequence: It performs a hard-coded date-based validity check to ensure that the RAT runs on any date that is after March 27, 2026, 13:30:00 UTC.
organisation DocSpace
Social Engineering and Initial Access The infection begins with the Portable platform.zip lure archive, hosted on a unique ONLYOFFICE DocSpace: hxxps[:]//docspace-y4cumb.onlyoffice[.]com/storage/files/root/folder_3602000/file_3601577/v1/content.zip
organisation Portal.zip
This infrastructure served as the delivery point for the primary payload, where the victim was induced to download a malicious archive disguised as legitimate recruitment materials The attack execution advances when the victim complies with the lure instructions, manually retrieving and downloading the weaponized Portal.zip archive.
organisation Synchronize OS
It silently drops two embedded payloads into the local AppData directory: SoftwareLicencing.exe : a renamed, legitimate Microsoft setup binary unbcl.dll : the core malicious payload To maintain its foothold, the loader creates a scheduled task for persistence named Synchronize OS and simultaneously displays a decoy system error to the user to mask this background activity.
organisation Unbcl.dll
The execution flow leverages the legitimate Setup.exe , which subsequently loads two malicious components: Unbcl.dll : a social-engineering decoy Connection.dll : the primary payload, a RAT The execution of Unbcl.dll creates a background thread displaying a GUI to the target.
organisation Technical Analysis
Technical Analysis of the Payload The Connection.dll payload is another RAT with multiple capabilities and defense evasion mechanisms.
organisation .config file
Figure 12 shows the original .config file, which was used only for sideloading the uevmonitor.dll file.
organisation Technical Analysis of the Payload Serving
Technical Analysis of the Payload Serving as the primary loader, the uevmonitor.dll assembly initiates the infection chain once executed by the initial, legitimate Setup.exe host process.
organisation Initial Access The
Social Engineering and Initial Access The threat actor initiated the attack by distributing a spoofed recruitment URL: hxxps[:]//[REDACTED][.]com/career/recreuitment/[REDACTED] .
organisation Setup.exe
This archive contains a file named Setup.exe and three hidden files.
infrastructure Windows
Since the default Windows settings do not reveal hidden files, a user would not normally see these three files.
During execution, the malware dynamically decrypts data within its code to retrieve five C2 domains: licencemanagers.azurewebsites[.]net LicenceSupporting.azurewebsites[.]net PeerDistSvcManagers.azurewebsites[.]net ThemesManagers.azurewebsites[.]net ThemesProviderManagers.azurewebsites[.]net These domains mimic legitimate Windows service names, attempting to blend in with network communication.
The resulting string mimics legitimate Microsoft Edge browser traffic: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
organisation Microsoft Edge
The resulting string mimics legitimate Microsoft Edge browser traffic: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
organisation ONLYOFFICE
The target would then be redirected to a dedicated storage instance hosted within an attacker-managed ONLYOFFICE workspace.
organisation Sideloading and Hijacking During
Sideloading and Hijacking During our analysis of the MiniJunk V2 sample, we observed the threat actor using an older version of .config file to facilitate local sideloading.
organisation SQL
The malware’s .rdata section is packed with thousands of junk strings, including Java and Python tracebacks, SQL queries and .NET exceptions.
organisation MB
Flooding string extraction tools with irrelevant data Inflating the binary size to around 12 MB in an attempt to bypass file-size limits on certain automated sandboxes The sideloading chain and malicious executable triggered Cortex XDR to flag this threat as high risk.
organisation Cortex XDR
Flooding string extraction tools with irrelevant data Inflating the binary size to around 12 MB in an attempt to bypass file-size limits on certain automated sandboxes The sideloading chain and malicious executable triggered Cortex XDR to flag this threat as high risk.
data_breach 12 MB
Flooding string extraction tools with irrelevant data Inflating the binary size to around 12 MB in an attempt to bypass file-size limits on certain automated sandboxes The sideloading chain and malicious executable triggered Cortex XDR to flag this threat as high risk.
organisation GUI
It relies on a social-engineering decoy graphical user interface (GUI) to deceive the target while quietly establishing a heavily obfuscated C2 connection.
organisation Chrome
Once in the main loop, the malware XOR-decrypts (using a single-byte key, 0x8A ) data within its code to acquire a Chrome-based User-Agent string and three URLs using Azure-hosted C2 domains.
‎March 27
The MiniJunk V2 family samples were uploaded on March 27.
‎late March 2026
Threat actors used VirusTotal to upload samples from organizations in the U.S. and Israel, targeting Iranian APTs known as Serpens during late March 2026.
source_region Israel
In late March 2026, we identified samples uploaded to VirusTotal from organizations in the U.S. and Israel.
‎March 2026
The target received a phishing campaign targeting Iranian APT Screening Serpens, with the attackers using authentic video conferencing links to establish trust and deliver malicious payloads via third-party file-sharing services.
tactic Social Engineering
Social Engineering and Initial Access Analysis of sequential artifact uploads to VirusTotal from March 2026 provides a view into Screening Serpens’ social engineering tactics.
tactic T1684 - Social Engineering
Social Engineering and Initial Access Analysis of sequential artifact uploads to VirusTotal from March 2026 provides a view into Screening Serpens’ social engineering tactics.
organisation Initial Access Analysis
Social Engineering and Initial Access Analysis of sequential artifact uploads to VirusTotal from March 2026 provides a view into Screening Serpens’ social engineering tactics.
‎April 15, 2026
Threat actors used PremierHealthAdvisory[.]com and Ramiltonsfinance[.]com to target entities in the UAE, impersonating health sector entities.
target_region United Arab Emirates
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
tactic Impersonate
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
industry Health
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
organisation PremierHealthAdvisory[.]com
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
general_metric 18 distinct opcodes
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
‎April 17, 2026
The threat actor employed a .NET-specific code execution technique known as AppDomainManager hijacking to target entities in the UAE on April 17, 2026.
target_region United Arab Emirates
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
tactic Impersonate
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
industry Health
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
organisation PremierHealthAdvisory[.]com
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
general_metric 18 distinct opcodes
In the variant that may have targeted an entity in the UAE on April 15, 2026, the threat actor rotated the C2 domains to impersonate a health sector entity, using: PremierHealthAdvisory[.]com PremierHealthAdvisory.azurewebsites[.]net Premier-HealthAdvisory.azurewebsites[.]net In the variant that may have targeted another Middle Eastern entity on April 17, 2026, the threat actor rotated the C2 domains to impersonate a financial sector entity, using: Ramiltonsfinance[.]com Ramiltonsfinance.azurewebsites[.]net Ramiltons-finance.azurewebsites[.]net Furthermore, the April variants feature an expanded command dispatcher with 18 distinct opcodes, two more than the earlier March campaigns.
organisation UpdateChecker.dll
The malware then copies and renames four files from the initial infection folder into this new directory: setup.exe is renamed to update.exe UpdateConfig.xml is renamed to update.exe.config Updater.dll is copied as is UpdateChecker.dll (the MiniUpdate payload) is copied as is 3.
organisation update.exe.config Updater.dll
The malware then copies and renames four files from the initial infection folder into this new directory: setup.exe is renamed to update.exe UpdateConfig.xml is renamed to update.exe.config Updater.dll is copied as is UpdateChecker.dll (the MiniUpdate payload) is copied as is 3.
infrastructure Windows
Event Tracing for Windows (ETW) is the primary telemetry source used by modern endpoint detection and response (EDR) solutions to monitor .NET execution, track loaded assemblies and detect malicious behaviors in memory.
By forcing this strict environment, the attacker reduces the risk of accidental application crashes, which would generate Windows error pop-ups and logs, immediately alerting the user or defenders that something is wrong.
Establishing persistence: With the files staged, InitInstall.dll leverages Windows Task Scheduler to ensure the payload survives reboots.
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
organisation ETW
Event Tracing for Windows (ETW) is the primary telemetry source used by modern endpoint detection and response (EDR) solutions to monitor .NET execution, track loaded assemblies and detect malicious behaviors in memory.
organisation EDR
Event Tracing for Windows (ETW) is the primary telemetry source used by modern endpoint detection and response (EDR) solutions to monitor .NET execution, track loaded assemblies and detect malicious behaviors in memory.
infrastructure 5.0
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
infrastructure 10.0
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
infrastructure 537.36
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
infrastructure 146.0.0
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
organisation C2 Architecture and Network Execution
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
organisation Win64
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
organisation KHTML
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
organisation Digital
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
organisation InitInstall.dll
This ensures that even if the system normally requires cryptographic verification for loaded assemblies, the attacker's unsigned or tampered InitInstall.dll will load silently without throwing a security exception.
organisation Anti-Analysis Checks
Stage 2: Anti-Analysis Checks When the scheduled task triggers the renamed setup binary ( update.exe ), the malware initiates a second AppDomainManager hijack to safely transition to the next stage.
organisation Updater.dll
This effectively hollows out the legitimate Microsoft process, allowing the next payload, Updater.dll , to load into an unmonitored memory space.
organisation Core Functionality
Stage 3: Payload Execution and Core Functionality The MiniUpdate payload operates via external C2s and a compromised digital signature.
organisation Pre-Main
It then instantiates a custom AppDomainManager type (such as MyAppDomainManager ) to achieve this Pre-Main() execution.
organisation XML
By adding just a few specific lines of XML, the threat actor instructs the .NET common language runtime (CLR) to proactively disable its own security mechanisms:
organisation CLR
By adding just a few specific lines of XML, the threat actor instructs the .NET common language runtime (CLR) to proactively disable its own security mechanisms:
organisation API
By disabling ETW natively via the application configuration, the attacker potentially shrouds the EDR to the CLR's runtime behavior without needing to perform suspicious memory patching or API hooking.
organisation Microsoft
Publisher policies are typically used by Microsoft to redirect application bindings to newer, safer or patched versions of an assembly.
organisation UTF-8
First, the constructor reverses the input bytes interpreted as UTF-8.
organisation UI
Once the strings are decrypted, the loader initiates a sequence that blends user interface (UI) deception with stealthy file staging and persistence.
organisation Operations
Operations security (OPSEC) shift (plaintext strings): MiniUpdate stores all API names, C2 domains and endpoints in plaintext within the .rdata section.
organisation OPSEC
Operations security (OPSEC) shift (plaintext strings): MiniUpdate stores all API names, C2 domains and endpoints in plaintext within the .rdata section.
organisation XOR
Conversely, the MiniJunk V2 samples featured heavy Mixed Boolean-Arithmetic and XOR obfuscation.
‎mid-April 2026
Additional samples from the UAE and another Middle Eastern entity were discovered in mid-April 2026.
target_region United Arab Emirates
Additional samples from the UAE and another Middle Eastern entity were discovered in mid-April 2026.
organisation UAE
Additional samples from the UAE and another Middle Eastern entity were discovered in mid-April 2026.
‎April 2026
The Iranian APT group Screening Serpens used a technique called AppDomainManager hijacking to infect targets, leveraging targeted spear phishing lures and DLL sideloading for execution.
organisation VirusTotal
Based on VirusTotal metadata, it appears these samples may have been used against targets across the U.S., Israel and the UAE as well as two additional Middle Eastern entities.
organisation Additional References
=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm SHA256 Hashes: MiniUpdate: US Campaign 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 - Initial archive file 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 - Hiring Portal.zip 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864 - UpdateChecker.dll MiniUpdate: Israel Campaign 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d - Initial archive file d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 - UpdateChecker.dll MiniUpdate: UAE Campaign bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad - UpdateChecker.dll MiniUpdate: Middle Eastern Campaign 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad - UpdateChecker.dll MiniJunk V2: Middle Eastern Campaign 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 - uevmonitor.dll B19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 - unbcl.dll MiniJunk V2: U.S. Campaign 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b - Portable Platform.zip 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa - Connection.dll 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 - unbcl.dll Additional References
organisation DLL
Their infection chains begin with targeted spear phishing lures, leveraging DLL sideloading for execution.
organisation Cortex
Palo Alto Networks customers are better protected from the threats described in this article through the following products and services: Cortex AgentiX Agentic Assistant can assist teams in investigating incidents.
organisation MiniUpdate
The samples are split into two distinct malware families: A newly discovered malware family that we call MiniUpdate An evolved iteration of a malware family named MiniJunk that we track as MiniJunk V2 Both families build directly upon the actor's established playbook.
organisation DNS Security
Advanced WildFire is powered by Precision AI. Advanced URL Filtering and Advanced DNS Security identify and block known domains and URLs associated with this activity in real time.
organisation Behavioral Threat Protection
This approach combines several layers of protection, including Advanced WildFire , Behavioral Threat Protection and the Local Analysis module, to prevent both known and unknown malware from causing harm to endpoints — all in a single interface.
organisation the Local Analysis
This approach combines several layers of protection, including Advanced WildFire , Behavioral Threat Protection and the Local Analysis module, to prevent both known and unknown malware from causing harm to endpoints — all in a single interface.
organisation Palo Alto Networks
+82.080.467.8774 Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members.
organisation Cyber Threat Alliance
+82.080.467.8774 Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members.
organisation CTA
+82.080.467.8774 Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members.
‎between April 15 and April 17, 2026
Threat actors used a previously unknown Iranian Advanced Persistent Threat (APT) to target entities in the United Arab Emirates between April 15 and April 17, 2026.
source_region United Arab Emirates
MiniUpdate: Mid-April Middle Eastern Campaigns In the attacks that may have targeted entities in the UAE and potentially another Middle Eastern country, we identified two new MiniUpdate variants, compiled and submitted to VirusTotal between April 15 and April 17, 2026.
‎between February and April 2026
Threat actors used a newly discovered remote access Trojan (RAT) variant to target Iranian entities between February and April 2026.
‎March 26, April 15 and April 17
Threat actors used the MiniUpdate family of software updates to upload tracking malware samples on March 26, April 15 and April 17.
‎2026/05/22
The incident involved bypassing signature validation in the .NET Common Language Runtime (CLR) to target entities in the United States, Israel, and the United Arab Emirates.
organisation APT
Executive Summary Unit 42 researchers have observed evidence of cyberattacks by the Iran-nexus advanced persistent threat (APT) group Screening Serpens (aka UNC1549, Smoke Sandstorm and Iranian Dream Job).
organisation Screening Serpens
Executive Summary Unit 42 researchers have observed evidence of cyberattacks by the Iran-nexus advanced persistent threat (APT) group Screening Serpens (aka UNC1549, Smoke Sandstorm and Iranian Dream Job).
organisation Smoke Sandstorm
Executive Summary Unit 42 researchers have observed evidence of cyberattacks by the Iran-nexus advanced persistent threat (APT) group Screening Serpens (aka UNC1549, Smoke Sandstorm and Iranian Dream Job).
organisation Tracking Iranian APT Screening Serpens
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns.
infrastructure Windows
Silencing event tracing for Windows: The configuration includes the directive <etwEnable enabled="false"/> .
infrastructure 0.30319
Forced runtime environment (safe mode): The configuration uses the <requiredRuntime safemode="true" imageVersion="v4.0.30319"/ > directive.
organisation privatePath="
At its core, this configuration relies on the <probing privatePath=".
organisation Bypassing
Bypassing signature validation: The <bypassTrustedAppStrongNames enabled="true"/> directive instructs the CLR to skip strong-name signature validation .
Tactical Metrics
Metrics
infrastructure
‎Windows
Affected Product
Silencing event tracing for Windows: The configuration includes the directive <etwEnable enabled="false"/> .
Event Tracing for Windows (ETW) is the primary telemetry source used by modern endpoint detection and response (EDR) solutions to monitor .NET execution, track loaded assemblies and detect malicious behaviors in memory.
By forcing this strict environment, the attacker reduces the risk of accidental application crashes, which would generate Windows error pop-ups and logs, immediately alerting the user or defenders that something is wrong.
Establishing persistence: With the files staged, InitInstall.dll leverages Windows Task Scheduler to ensure the payload survives reboots.
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
Since the default Windows settings do not reveal hidden files, a user would not normally see these three files.
During execution, the malware dynamically decrypts data within its code to retrieve five C2 domains: licencemanagers.azurewebsites[.]net LicenceSupporting.azurewebsites[.]net PeerDistSvcManagers.azurewebsites[.]net ThemesManagers.azurewebsites[.]net ThemesProviderManagers.azurewebsites[.]net These domains mimic legitimate Windows service names, attempting to blend in with network communication.
The resulting string mimics legitimate Microsoft Edge browser traffic: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Metrics
infrastructure
‎0.30319
Software Version
Forced runtime environment (safe mode): The configuration uses the <requiredRuntime safemode="true" imageVersion="v4.0.30319"/ > directive.
Metrics
infrastructure
‎5.0
Software Version
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
Metrics
infrastructure
‎10.0
Software Version
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
Metrics
infrastructure
‎537.36
Software Version
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
Metrics
infrastructure
‎146.0.0
Software Version
C2 Architecture and Network Execution This variant is designed to cycle through three different command servers in a specific order, checking each one for instructions: buisness-centeral.azurewebsites[.]net buisness-centeral-transportation.azurewebsites[.]net Buisness-centeral-transportation[.]com The following user agent is used in the communication: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Digital signature misuse: This payload is digitally signed under the name of a software company whose signature appears to have been stolen or impersonated.
Metrics
data_breach
12
Mb
Flooding string extraction tools with irrelevant data Inflating the binary size to around 12 MB in an attempt to bypass file-size limits on certain automated sandboxes The sideloading chain and malicious executable triggered Cortex XDR to flag this threat as high risk.
Intelligence Sources
Palo Alto 2026-05-22
Palo Alto 2026-05-22