Unit 42 researchers detail a series of cyberattack campaigns by the Iranian APT group Screening Serpens (UNC1549/Smoke Sandstorm) conducted between February and April 2026. The group deployed six new RAT variants across two malware families — MiniUpdate and MiniJunk V2 — targeting technology, defense, and aerospace entities in the U.S., Israel, UAE, and other Middle Eastern countries. A key technical evolution is the use of AppDomainManager hijacking, which manipulates .NET application initialization via legitimate configuration files to disable ETW telemetry, bypass strong-name signature validation, and suppress publisher policy redirections — effectively blinding EDR tools before the payload executes. Campaigns relied on highly tailored spear-phishing lures impersonating job portals, video conferencing platforms, and recruitment sites. The RATs support extensive capabilities including arbitrary command execution, DLL injection, file exfiltration with chunked uploads, UAC elevation, and scheduled task persistence.
Table of contents
Executive SummaryS creening Serpens OverviewMiniUpdate RAT AnalysisMiniJunk V2 AnalysisConclusionIndicators of CompromiseAdditional ReferencesSort: