Iranian APT 'Screening Serpens' Deploys New RATs 'MiniUpdate' and 'MiniJunk V2' in Espionage Campaigns

Executive Summary

The Iran-nexus Advanced Persistent Threat (APT) group known as Screening Serpens has launched a new wave of cyber-espionage campaigns, deploying at least six new Remote Access Trojan (RAT) variants. The group, also tracked as Smoke Sandstorm, Iranian Dream Job, and UNC1549, is targeting organizations in the United States, Israel, and the United Arab Emirates. Research from Palo Alto Networks' Unit 42 reveals the development of two new malware families, MiniUpdate and MiniJunk V2. The campaigns leverage highly personalized social engineering lures, often related to job recruitment, to compromise professionals in strategic sectors like defense and aerospace. This activity, which aligns with recent regional conflicts, signals a significant enhancement of the group's technical sophistication and operational tempo.

Threat Overview

Screening Serpens has been active since at least 2022 and has shown a marked increase in activity between February and April 2026. The group's primary tactic is spear-phishing, using tailored social engineering to build trust with targets. They often impersonate trusted brands and hiring platforms, sending fake job documents or archives disguised as installers for popular video conferencing software.

The goal is to deliver their custom malware. The two new families identified are:

• MiniUpdate: This RAT is particularly notable for its use of a .NET technique called AppDomainManager hijacking. This allows the malware to manipulate legitimate .NET applications at startup to disable security mechanisms and inject malicious code.
• MiniJunk V2: This represents an evolution of their existing toolset, likely with improved C2 communication and evasion capabilities.

The campaigns are strategically focused on industries vital to national security and technological advancement, including technology, aerospace, defense, and telecommunications.

Technical Analysis

Screening Serpens combines sophisticated social engineering with advanced technical tradecraft to achieve its objectives.

MITRE ATT&CK Techniques

• T1566.001 - Spearphishing Attachment: The primary delivery vector is emails with malicious attachments disguised as job descriptions or other business documents.
• T1589.002 - Employee Names: The group conducts reconnaissance to identify and target specific professionals within desired sectors, making their lures more convincing.
• T1204.002 - Malicious File: Victims are tricked into opening malicious documents or running fake installers, which initiates the infection chain.
• T1574.012 - AppDomainManager Hijack: The MiniUpdate RAT uses this specific .NET abuse technique for defense evasion and persistence, allowing it to load into the memory of a legitimate process.
• T1059.005 - Visual Basic: Previous campaigns by this actor have involved the use of malicious macros in documents, a common entry point before deploying the main payload.
• T1071.001 - Web Protocols: The RATs likely use standard HTTP/S for command and control (C2) communications to blend in with normal network traffic.

Impact Assessment

The targeted nature of these campaigns poses a significant threat of intellectual property theft and espionage. By compromising professionals in the defense, aerospace, and technology sectors, Screening Serpens could steal sensitive project data, military secrets, and proprietary technology. This stolen information could be used to advance Iran's own domestic military and technology programs or to gain a strategic advantage over its adversaries. The continuous development of new malware variants indicates a well-resourced and persistent threat actor committed to long-term espionage objectives.

IOCs — Directly from Articles

No specific Indicators of Compromise (e.g., file hashes, C2 domains) were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for activity related to Screening Serpens using the following hints:

Detection & Response

1. Monitor .NET Processes (D3-PA): Use an EDR to closely monitor the behavior of .NET applications. Look for processes that load unexpected DLLs, set suspicious environment variables (COMPLUS_*), or make network connections to unknown domains. AppDomainManager hijacking can be detected by monitoring for these specific artifacts.
2. Email Security: Enhance email security gateways to perform deep attachment analysis and sandboxing. Configure rules to flag or block emails from external sources that contain executable files or password-protected archives, especially those with recruitment themes.
3. Endpoint Logging: Ensure comprehensive logging is enabled for process creation (Event ID 4688), command-line arguments, and registry modifications. This telemetry is crucial for tracing the infection chain from the initial lure to the final payload.
4. Threat Intelligence: Subscribe to threat intelligence feeds from sources like Unit 42 to get the latest IOCs and TTPs associated with Screening Serpens and other regional threat actors.

Mitigation

1. User Training (M1017): Train employees, especially those in high-value roles, to recognize and report sophisticated spear-phishing attempts. Conduct phishing simulations that mimic the TTPs of Screening Serpens, such as fake job offers.
2. Application Control (M1038): Implement application allowlisting to prevent the execution of unauthorized executables and scripts delivered via phishing attachments.
3. Attack Surface Reduction: Disable or restrict scripting languages (e.g., PowerShell, VBScript) and macros for users who do not require them for their job functions.
4. Network Segmentation (M1030): Segment the network to prevent lateral movement. Even if a workstation is compromised, segmentation can contain the breach and prevent the actor from accessing critical servers or data repositories.