Iranian Hackers Evade Detection with .NET Hijacking

Iranian hackers have advanced their cyber-espionage tactics, employing a complex .NET hijacking strategy to bypass security systems. This technique has been used to infiltrate organizations in the United States, Israel, and the United Arab Emirates.

Intensified Campaign Linked to Regional Conflict

Following a regional conflict that commenced on February 28, 2026, an Iran-associated advanced persistent threat group has been aggressively targeting several countries. Known by names such as Screening Serpens, UNC1549, and Smoke Sandstorm, this group has been active since 2022. Initially focused on the Middle East, they have since extended their reach to Western Europe, particularly targeting high-value sectors like aerospace, defense, and telecommunications.

New Malware Variants Identified

Security researchers from Unit 42 have identified six new remote access Trojan (RAT) variants, categorized into two malware families: MiniUpdate and MiniJunk V2. These campaigns correlate with the timeline of the conflict, targeting the U.S. and Israel in late March, followed by the UAE and other Middle Eastern countries in mid-April 2026.

The infection typically begins with spear phishing, where victims are lured by what appear to be legitimate recruitment or video conferencing applications. Once the victim interacts with these files, a silent multi-stage infection chain grants attackers complete control over the compromised systems.

AppDomainManager Hijacking Technique

A significant innovation in this campaign is the use of AppDomainManager hijacking, where attackers modify legitimate configuration files during the initialization phase of .NET applications. This allows malicious code to execute early, often escaping detection by most security tools.

By inserting specific XML lines into the application’s configuration file, attackers disable critical security features such as Event Tracing for Windows (ETW). This method also circumvents strong-name signature validation, allowing unsigned DLL files to load without triggering alarms.

This approach is considered a sophisticated ‘living-off-the-land’ technique, as it relies on legitimate system components to disable defenses, enabling the payload to execute in an unmonitored environment.

Both the MiniUpdate and MiniJunk V2 families utilize social engineering tactics, such as fake job description documents and spoofed meeting invitations. These files are designed to appear authentic, fooling victims into executing the malicious content.

Security experts recommend enhancing EDR platforms to detect behaviors associated with DLL sideloading and AppDomainManager hijacking. Organizations in vulnerable sectors should remain vigilant against unsolicited job offers and meeting invites.

For more in-depth cybersecurity updates, follow us on Google News, LinkedIn, and X, and set CSN as your preferred news source.