Iranian Hackers Abuse AppDomainManager Hijacking to Evade EDR Detection

Iranian hackers have taken their cyberespionage playbook to a new level, deploying a sophisticated .NET hijacking technique to slip past endpoint defenses and target organizations across the United States, Israel, and the United Arab Emirates.

The campaign intensified following a regional conflict that began on February 28, 2026, attributed to an Iran-linked advanced persistent threat group operating under several known aliases.

Security researchers have been tracking a rapid surge in activity that shows no signs of stopping.

Historically focused on Middle Eastern targets, the group expanded into Western Europe in late 2025. Their preferred targets sit inside high-value sectors including aerospace, defense manufacturing, and telecommunications.

They reach victims through personalized social engineering, using fake job listings and spoofed meeting invitations to lure professionals into downloading malicious files.

Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.

Unit 42 said in a report shared with Cyber Security News (CSN) that the campaigns align closely with the conflict timeline, with coordinated attacks hitting entities in the U.S. and Israel in late March, followed by targets in the UAE and another Middle Eastern country in mid-April 2026.

Both malware families begin their infection chains through spear phishing. Victims receive what appears to be a recruitment portal or a video conferencing app installer.

Once they interact with the file, a silent multi-stage infection chain kicks off in the background, and the attacker quietly gains full control over the compromised machine.

AppDomainManager Hijacking

The most significant technical leap in this campaign is the use of a technique called AppDomainManager hijacking.

This method targets the initialization phase of .NET applications by modifying a legitimate configuration file, allowing malicious code to run before the host application even finishes loading. Since this happens so early, most security tools do not get a chance to detect it.

By adding a few targeted XML lines to the application’s config file, attackers instruct the .NET runtime to disable its own security features.

They turn off Event Tracing for Windows (ETW), the primary data source that modern endpoint detection and response (EDR) platforms rely on to monitor .NET activity.

They also bypass strong-name signature validation, ensuring that unsigned DLL files load without triggering security exceptions.

This approach is described as a mature living-off-the-land technique because it requires no complex shellcode or memory patching.

The attacker simply asks the system to turn off its own defenses using a file that looks entirely legitimate. The result is a payload running in a completely unmonitored, highly privileged environment with no alerts raised.

The MiniUpdate family was delivered through archives impersonating a global airline and a popular video conferencing platform.

One archive contained six fake job description PDFs with believable job IDs and titles such as Senior Software Engineer, targeting IT and engineering professionals.

A nested payload inside a file named Hiring Portal.zip launched a fake error window while the malware quietly installed itself.

For persistence, the malware used Windows Task Scheduler, creating a daily trigger at 09:30 local time. The MiniJunk V2 family used an older configuration method but added heavy code obfuscation and file size inflation to bypass automated scanning limits.

Command-and-control traffic was routed through Azure-hosted domains that mimicked legitimate Windows service names, making network-level detection significantly harder.

Researchers recommend that defenders tune EDR platforms specifically to flag DLL sideloading and AppDomainManager hijacking behaviors, rather than relying solely on signature-based detection.

Treating trusted, signed binaries that load unsigned modules as high-risk will help security teams catch these attacks much earlier. Organizations in aerospace, defense, and technology should stay alert to fake job offers or meeting invitations arriving through unofficial channels.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	licencemanagers.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	LicenceSupporting.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	PeerDistSvcManagers.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	ThemesManagers.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	ThemesProviderManagers.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	NanoMatrix.azurewebsites[.]net	MiniJunk V2 U.S. Campaign C2
Domain	QuantumWeave.azurewebsites[.]net	MiniJunk V2 U.S. Campaign C2
Domain	ElementShift.azurewebsites[.]net	MiniJunk V2 U.S. Campaign C2
Domain	buisness-centeral.azurewebsites[.]net	MiniUpdate C2 domain
Domain	buisness-centeral-transportation.azurewebsites[.]net	MiniUpdate C2 domain
Domain	Buisness-centeral-transportation[.]com	MiniUpdate C2 domain
Domain	PremierHealthAdvisory[.]com	MiniUpdate UAE Campaign C2
Domain	PremierHealthAdvisory.azurewebsites[.]net	MiniUpdate UAE Campaign C2
Domain	Premier-HealthAdvisory.azurewebsites[.]net	MiniUpdate UAE Campaign C2
Domain	Ramiltonsfinance[.]com	MiniUpdate Middle East Campaign C2
Domain	Ramiltonsfinance.azurewebsites[.]net	MiniUpdate Middle East Campaign C2
Domain	Ramiltons-finance.azurewebsites[.]net	MiniUpdate Middle East Campaign C2
Domain	business-startup[.]org	Associated C2 infrastructure
Domain	business-startup.azurewebsites[.]net	Associated C2 infrastructure
Domain	docspace-y4cumb.onlyoffice[.]com	ONLYOFFICE payload delivery
Domain	docspace-twpf0e.onlyoffice[.]com	ONLYOFFICE payload delivery
URL	hxxps[:]//docspace-y4cumb.onlyoffice[.]com/storage/files/root/folder_3602000/file_3601577/v1/content.zip	MiniJunk V2 payload URL
URL	hxxps[:]//docspace-twpf0e.onlyoffice[.]com/storage/files/root/.../content.zip	MiniJunk V2 U.S. Campaign payload URL
URL	hxxps[:]//2117.filemail[.]com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm	MiniUpdate Israel payload URL
SHA256	44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250	MiniUpdate U.S. Campaign — Initial archive
SHA256	332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17	MiniUpdate U.S. Campaign — Hiring Portal.zip
SHA256	0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864	MiniUpdate U.S. Campaign — UpdateChecker.dll
SHA256	38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d	MiniUpdate Israel Campaign — Initial archive
SHA256	d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2	MiniUpdate Israel Campaign — UpdateChecker.dll
SHA256	bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad	MiniUpdate UAE/Middle East Campaign — UpdateChecker.dll
SHA256	74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27	MiniUpdate Middle East Campaign
SHA256	9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84	MiniJunk V2 Middle East — uevmonitor.dll
SHA256	B19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4	MiniJunk V2 Middle East — unbcl.dll
SHA256	8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b	MiniJunk V2 U.S. — Portable Platform.zip
SHA256	43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa	MiniJunk V2 U.S. — Connection.dll
SHA256	9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1	MiniJunk V2 U.S. — unbcl.dll
File Name	UpdateChecker.dll	MiniUpdate core RAT payload
File Name	uevmonitor.dll	MiniJunk V2 primary loader
File Name	Connection.dll	MiniJunk V2 U.S. Campaign RAT payload
File Name	unbcl.dll	Social engineering decoy DLL
File Name	Hiring Portal.zip	Malicious archive delivery file
File Name	Portable platform.zip	MiniJunk V2 U.S. Campaign delivery archive

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.