MiniUpdate RAT uses Azure-hosted C2 domains in Iran-linked espionage campaigns

Unit 42 researchers have linked new MiniUpdate and MiniJunk V2 malware activity to Screening Serpens, an Iran-nexus espionage group also known as UNC1549, Smoke Sandstorm, and Iranian Dream Job.

According to Unit 42’s research, the campaigns targeted entities in the United States, Israel, and the United Arab Emirates, with likely additional targeting in the Middle East. The activity developed between mid-February and April 2026.

The attacks used tailored social engineering, including fake recruitment material and spoofed meeting or installer lures. The goal was to convince technology, defense, aerospace, and telecommunications professionals to open malicious archives and run disguised files.

Screening Serpens expanded its RAT toolkit in 2026

Screening Serpens has operated since at least 2022, but the latest campaign shows a sharper focus on custom malware and resilient command-and-control infrastructure. Researchers grouped six newly discovered RAT variants into two malware families: MiniUpdate and MiniJunk V2.

Cybersecurity Dive reported that the campaign aligned with a broader rise in Iran-linked cyber activity and targeted high-value sectors through impersonation schemes.

Microsoft’s threat actor naming list also maps Smoke Sandstorm to Iran and notes overlap with UNC1549. That helps explain why multiple vendors track the same activity under different names.

Tracked name	Also known as	Reported focus
Screening Serpens	UNC1549, Smoke Sandstorm, Iranian Dream Job	Espionage against technology, aerospace, defense, and telecom targets
MiniUpdate	UpdateChecker.dll payload family	AppDomainManager hijacking, scheduled task persistence, Azure-hosted C2
MiniJunk V2	Updated MiniJunk variant	DLL sideloading, junk-code padding, delayed execution, Azure-hosted C2

MiniUpdate uses AppDomainManager hijacking

MiniUpdate is the more technically notable of the two malware families because it uses AppDomainManager hijacking during the .NET startup process. In this technique, attackers manipulate a configuration file so malicious code runs before the legitimate application fully starts.

The MITRE ATT&CK entry for AppDomainManager explains that adversaries can hijack how the .NET AppDomainManager loads assemblies to execute malicious payloads. In the Screening Serpens campaign, that technique helped the malware disable telemetry before the next payload ran.

Unit 42 said MiniUpdate’s configuration explicitly disabled Event Tracing for Windows and strong name verification. That matters because ETW gives defenders important visibility into suspicious runtime behavior.

The infection chain hid behind fake job and meeting lures

The U.S. MiniUpdate campaign used an archive designed to look like airline recruitment material. The archive included fake job descriptions for senior technical roles and a nested Hiring Portal.zip file.

When a victim ran the included setup file, the malware displayed a fake error window to make the lure look legitimate. Behind the scenes, it staged files under a local application data path, renamed setup.exe to update.exe, and prepared the UpdateChecker.dll payload.

In Israel, attackers used an archive that impersonated a video conferencing installer. The malware showed a spoofed loading interface while it deployed in the background.

• Fake hiring portals used job descriptions aimed at technical professionals.
• Spoofed installer windows reduced user suspicion during deployment.
• MiniUpdate staged its payload under application data paths.
• A scheduled task kept the malware active after reboot.
• Azure-hosted command servers gave each target a more isolated infrastructure set.

Azure-hosted C2 domains helped isolate targets

MiniUpdate used different command-and-control domains across campaigns, many hosted on Azure. Unit 42 said the actor routed C2 traffic through three to five unique domains dedicated to each target and variant, which reduced infrastructure overlap.

In the U.S. MiniUpdate campaign, the RAT cycled through domains including buisness-centeral.azurewebsites.net, buisness-centeral-transportation.azurewebsites.net, and Buisness-centeral-transportation.com. Other campaigns used infrastructure themed around healthcare, finance, and startup services.

The use of legitimate cloud-hosted services does not make the traffic benign. It does, however, make simple domain reputation blocking less reliable, especially when attackers rotate infrastructure per target.

Campaign element	Reported example	Defensive relevance
MiniUpdate payload	UpdateChecker.dll	Core RAT component used after staging
Persistence	Daily scheduled task at 09:30 local time	Allows the malware to survive reboot
U.S. C2 theme	buisness-centeral.azurewebsites.net	Cloud-hosted C2 infrastructure
UAE C2 theme	PremierHealthAdvisory domains	Sector-themed infrastructure
Middle East C2 theme	Ramiltonsfinance domains	Finance-themed infrastructure

MiniUpdate gives attackers broad host control

After installation, MiniUpdate polls its command server and processes commands through a dispatcher. The RAT can execute shell commands, load DLLs into memory, manipulate processes, exfiltrate files, and request User Account Control elevation.

The same Unit 42 analysis said the latest variant gained the ability to exfiltrate files in chunks. That kind of update suggests continued development rather than a one-off malware build.

MiniUpdate also creates persistence through scheduled tasks. Unit 42 observed a logon-triggered scheduled task named WindowsSecurityUpdate in the malware’s capabilities, along with the ability to remove or reinstall that task.

MiniJunk V2 takes a different evasion path

MiniJunk V2 uses DLL sideloading and heavy padding to frustrate scanners and analysts. The malware inflates its file size with thousands of meaningless strings from languages such as Java and Python, pushing it beyond the scanning limits of some automated tools.

The MITRE ATT&CK page for DLL sideloading describes the technique as hijacking which DLL a program loads so a legitimate application executes the attacker’s payload. MiniJunk V2 used two layers of sideloading before reaching its final RAT payload.

The U.S. MiniJunk V2 variant also included a hard-coded time check. It would not activate before March 27, 2026, at 13:30 UTC, which reduced the chance that early sandbox analysis would reveal the payload’s full behavior.

Malware family	Main evasion technique	Operational effect
MiniUpdate	AppDomainManager hijacking	Runs before the host application fully initializes and disables key telemetry
MiniUpdate	Scheduled task persistence	Maintains access across reboot
MiniJunk V2	DLL sideloading	Uses legitimate binaries to load malicious DLLs
MiniJunk V2	Junk-code padding	Inflates file size and complicates automated analysis
MiniJunk V2	Delayed activation	Limits behavior seen in early sandbox runs

Who should treat the campaign as high priority

Organizations in aerospace, defense manufacturing, telecommunications, cloud, and technology should treat this campaign as a high-priority threat. The lures were tailored for professionals in those sectors, not for random mass infection.

Cybersecurity Dive noted that affected industries should harden defenses against impersonation schemes. That is important because the campaign begins with human trust, not a public exploit.

Security teams should also train recruiters, engineers, IT managers, and business development staff to report unexpected job archives, meeting installers, or “assessment portal” files. Those roles are likely to receive convincing external communications as part of espionage tradecraft.

Detection should focus on behavior, not only hashes

Known indicators help with immediate hunting, but defenders should not rely only on file hashes and domains. Screening Serpens rotates C2 infrastructure and makes small changes between variants.

Detection logic should look for .NET applications using suspicious AppDomainManager configuration files, processes disabling ETW, trusted binaries loading unknown DLLs, and scheduled tasks that appear shortly after a user opens an archive.

The broader AppDomainManager technique and DLL sideloading technique both fall under execution flow hijacking. That makes them useful behavioral anchors for endpoint detection and threat hunting.

• Alert on AppDomainManager configuration changes in unusual application paths.
• Monitor for .config files that disable ETW or strong name verification.
• Flag trusted binaries loading unsigned or unknown DLLs from user-writable folders.
• Review scheduled tasks created after suspicious archives run.
• Inspect outbound traffic to newly seen Azure-hosted domains from workstations.
• Hunt for UpdateChecker.dll, uevmonitor.dll, Connection.dll, and unbcl.dll in suspicious paths.
• Correlate fake recruitment lures with endpoint process creation events.

Important indicators of compromise

Security teams should use the indicators below as starting points for hunting. Domains should remain defanged in published reports and only be refanged inside controlled threat intelligence or SIEM workflows.

Microsoft’s threat actor naming reference can help teams map Smoke Sandstorm reporting to UNC1549 and Screening Serpens activity in other vendors’ intelligence portals.

Type	Indicator
MiniUpdate C2	buisness-centeral.azurewebsites[.]net
MiniUpdate C2	buisness-centeral-transportation.azurewebsites[.]net
MiniUpdate C2	Buisness-centeral-transportation[.]com
MiniJunk V2 C2	NanoMatrix.azurewebsites[.]net
MiniJunk V2 C2	QuantumWeave.azurewebsites[.]net
MiniJunk V2 C2	ElementShift.azurewebsites[.]net
Payload delivery host	docspace-y4cumb.onlyoffice[.]com
Payload delivery host	docspace-twpf0e.onlyoffice[.]com
File name	UpdateChecker.dll
File name	uevmonitor.dll
File name	Connection.dll
File name	Hiring Portal.zip

What organizations should do now

Defenders should start by reviewing endpoint telemetry for AppDomainManager hijacking, DLL sideloading, new scheduled tasks, suspicious archive execution, and outbound connections to Azure-hosted domains that do not match normal business use.

Teams should also tighten email and collaboration controls around archive files, fake meeting installers, and external recruitment messages. Screening Serpens relies on tailored lures, so generic phishing filters may not catch every attempt.

For high-risk teams, security leaders should add extra verification steps for recruitment files, third-party meeting tools, and unsolicited software installers. A short confirmation through a known channel can stop the infection chain before the RAT runs.

• Block or alert on the listed domains and file hashes where appropriate.
• Review endpoint logs for suspicious scheduled tasks and renamed installer files.
• Harden detection for AppDomainManager hijacking and DLL sideloading.
• Train targeted teams to verify job offers and meeting invites through known channels.
• Inspect Azure-hosted outbound traffic from endpoints for unusual beaconing.
• Restrict execution from user-writable folders where possible.
• Escalate detections involving defense, aerospace, telecom, or technology personnel.

Espionage campaigns are becoming more personalized

The Screening Serpens activity shows how espionage groups now combine technical tradecraft with highly personalized social engineering. The malware is sophisticated, but the first step still depends on convincing a target to trust a fake archive or installer.

MiniUpdate and MiniJunk V2 also show why cloud-hosted infrastructure needs careful monitoring. Azure-hosted C2 domains can look less suspicious than newly registered attacker domains, especially when organizations already use cloud services heavily.

The safest response is layered: verify lures, limit execution paths, monitor behavior, and hunt for technique-level activity instead of waiting for known hashes. The campaign’s infrastructure may change, but the use of hijacked .NET startup behavior, DLL sideloading, and cloud-based C2 gives defenders practical detection points.

FAQ