A sophisticated espionage campaign linked to Iranian hackers is causing concern among technology professionals in the United States, Israel, and the United Arab Emirates. The cyber attackers employ remote access trojans (RATs) delivered via deceptive job recruitment and software installer lures.
Espionage Campaign Tactics
The hacking group, identified as Screening Serpens, is known for its strategic use of RATs in targeted attacks. The group has been active since at least 2022 and has recently expanded its operations beyond the Middle Eastern region. Their latest campaign began in mid-February 2026, coinciding with regional conflicts, and has seen continued activity through mid-April.
Screening Serpens, also referred to as UNC1549, Smoke Sandstorm, and Iranian Dream Job, has introduced six new RAT variants. These are categorized into two families: the new MiniUpdate and the enhanced MiniJunk V2. Unit 42 researchers have linked these malware variants to Screening Serpens with moderate to high confidence.
Technical Insights into MiniUpdate RAT
The MiniUpdate RAT, known for its advanced features, employs AppDomainManager hijacking to bypass security measures. By manipulating a legitimate configuration file, the malware disables key security features of the .NET runtime. This tactic blinds standard security tools, allowing the RAT to operate unnoticed.
MiniUpdate uses Azure-hosted command and control (C2) domains, creating scheduled tasks to maintain persistence through system reboots. This sophisticated approach makes detection challenging, as the malware’s C2 traffic is routed through various Azure domains, obscuring its infrastructure.
MiniJunk V2: Concealed Backdoor Techniques
The MiniJunk V2 family employs different methods to evade detection. It enlarges its file size with extraneous code strings, pushing beyond the scanning capabilities of certain security tools. This obfuscation complicates manual analysis, making it difficult for cybersecurity professionals to dissect the malware.
MiniJunk V2 uses dual DLL sideloading to deploy its payload, connecting to Azure-hosted servers disguised as legitimate Windows services. Its U.S. campaign variant incorporates a time-based activation mechanism, delaying malware execution until a specified date, rendering early detection efforts futile.
Security experts advise organizations in technology, defense, and telecommunications to enhance their endpoint detection systems to flag suspicious behaviors, such as DLL sideloading and AppDomainManager hijacking. Treating unsolicited job offers or unexpected software updates with caution is crucial, as these remain the primary delivery methods for these attacks.
To stay informed about ongoing cyber threats and updates, follow Cyber Security News on Google News, LinkedIn, and X.
