MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns

A new wave of targeted espionage attacks has put technology professionals across the United States, Israel, and the United Arab Emirates on high alert.

The threat comes from an Iran-linked hacking group deploying two families of remote access trojans through cleverly disguised recruitment lures and fake software installers.

The campaign began as early as mid-February 2026 and continued expanding, with fresh samples appearing as recently as mid-April. Researchers believe the surge closely follows a Middle East regional conflict that started on February 28, 2026.

The group behind these intrusions is tracked as Screening Serpens, also known by the aliases UNC1549, Smoke Sandstorm, and Iranian Dream Job.

It has been active since at least 2022 and historically focused on Middle Eastern targets before expanding into Western Europe in late 2025. Six newly discovered RAT variants have been grouped into two malware families: a new one called MiniUpdate, and an upgraded tool called MiniJunk V2.

Analysts at Unit 42 identified these variants and assessed with moderate-high confidence that Screening Serpens is behind the operation.

Unit 42 said in a report shared with Cyber Security News (CSN) that both families are delivered through spear-phishing lures impersonating trusted brands and hiring platforms.

Victims receive fake job applications or spoofed meeting invitations crafted to look completely genuine. Once a target opens the malicious archive and runs the included file, the infection chain quietly begins while the victim sees nothing unusual on screen.

MiniUpdate RAT Uses Azure-Hosted C2 Domains

The MiniUpdate RAT is the more technically advanced of the two families and uses a technique called AppDomainManager hijacking.

By altering a legitimate configuration file, the malware instructs the .NET runtime to disable its own security features before the host application fully loads. The result is a payload running in an environment where standard security monitoring tools are already blinded.

The configuration disables Event Tracing for Windows, a key telemetry source that security software uses to detect suspicious behavior, and also bypasses digital signature checks.

The malware creates a scheduled task that fires daily at 09:30 local time, keeping it alive through system reboots. Command and control traffic routes through Azure-hosted domains assigned to each specific target, preventing any single detection point from exposing the broader infrastructure.

The March U.S. campaign delivered the RAT inside an archive disguised as airline recruitment materials, complete with fake job descriptions for senior technical roles.

The Israel campaign that same month used an archive impersonating a video conferencing installer, with a spoofed loading screen shown to the user while the malware silently deployed behind the scenes.

MiniJunk V2: Obfuscated Backdoor Targeting Tech and Defense

The MiniJunk V2 family, first spotted on February 17, 2026, takes a different approach to staying hidden. It inflates its file size to around 12 megabytes by embedding thousands of meaningless code strings from languages like Java and Python, pushing the file past the scanning limits of certain automated security tools.

This also floods analysis software with irrelevant data, making manual investigation significantly harder.

The malware uses two layers of DLL sideloading to deploy its payload and connects to five Azure-hosted command servers whose names are designed to resemble legitimate Windows service processes.

The March U.S. variant includes a hard-coded date check that prevents the RAT from activating before March 27, 2026, at 13:30 UTC, making early sandbox analysis nearly useless.

A fake “Meeting Room” window is shown to the victim to keep attention away from what is running in the background.

Security teams are advised to configure endpoint detection tools to flag DLL sideloading and AppDomainManager hijacking as high-risk behaviors, rather than relying solely on known file signatures.

Monitoring for trusted binaries that load unsigned or unrecognized modules adds an important detection layer against this type of attack.

Organizations in aerospace, defense, telecommunications, and technology should treat unsolicited job-related archives or unexpected software update prompts with strong suspicion, as these remain the group’s preferred entry points.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	licencemanagers.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	LicenceSupporting.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	PeerDistSvcManagers.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	ThemesManagers.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	ThemesProviderManagers.azurewebsites[.]net	MiniJunk V2 C2 domain
Domain	NanoMatrix.azurewebsites[.]net	MiniJunk V2 US Campaign C2
Domain	QuantumWeave.azurewebsites[.]net	MiniJunk V2 US Campaign C2
Domain	ElementShift.azurewebsites[.]net	MiniJunk V2 US Campaign C2
Domain	buisness-centeral.azurewebsites[.]net	MiniUpdate C2 domain
Domain	buisness-centeral-transportation.azurewebsites[.]net	MiniUpdate C2 domain
Domain	Buisness-centeral-transportation[.]com	MiniUpdate C2 domain
Domain	PremierHealthAdvisory[.]com	MiniUpdate UAE Campaign C2
Domain	PremierHealthAdvisory.azurewebsites[.]net	MiniUpdate UAE Campaign C2
Domain	Premier-HealthAdvisory.azurewebsites[.]net	MiniUpdate UAE Campaign C2
Domain	Ramiltonsfinance[.]com	MiniUpdate Middle East Campaign C2
Domain	Ramiltonsfinance.azurewebsites[.]net	MiniUpdate Middle East Campaign C2
Domain	Ramiltons-finance.azurewebsites[.]net	MiniUpdate Middle East Campaign C2
Domain	business-startup[.]org	Screening Serpens infrastructure
Domain	business-startup.azurewebsites[.]net	Screening Serpens infrastructure
Domain	docspace-y4cumb.onlyoffice[.]com	Payload delivery host (ONLYOFFICE)
Domain	docspace-twpf0e.onlyoffice[.]com	Payload delivery host (ONLYOFFICE)
URL	hxxps[:]//docspace-y4cumb.onlyoffice[.]com/storage/files/root/folder_3602000/file_3601577/v1/content.zip	MiniJunk V2 payload delivery URL
URL	hxxps[:]//docspace-twpf0e.onlyoffice[.]com/storage/files/root/folder_3765000/file_3764519/v1/content.zip	MiniJunk V2 US campaign delivery URL
URL	hxxps[:]//2117.filemail[.]com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm	MiniUpdate Israel campaign payload URL
SHA256	44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250	MiniUpdate US campaign – initial archive
SHA256	332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17	MiniUpdate US campaign – Hiring Portal.zip
SHA256	0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864	MiniUpdate US campaign – UpdateChecker.dll
SHA256	38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d	MiniUpdate Israel campaign – initial archive
SHA256	d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2	MiniUpdate Israel campaign – UpdateChecker.dll
SHA256	bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad	MiniUpdate UAE/Middle East – UpdateChecker.dll
SHA256	74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27	MiniUpdate Middle East campaign
SHA256	9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84	MiniJunk V2 Middle East – uevmonitor.dll
SHA256	b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4	MiniJunk V2 Middle East – unbcl.dll
SHA256	8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b	MiniJunk V2 US campaign – Portable Platform.zip
SHA256	43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa	MiniJunk V2 US campaign – Connection.dll
SHA256	9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1	MiniJunk V2 US campaign – unbcl.dll
File Name	UpdateChecker.dll	MiniUpdate RAT core payload
File Name	uevmonitor.dll	MiniJunk V2 primary loader DLL
File Name	Connection.dll	MiniJunk V2 US campaign RAT payload
File Name	Hiring Portal.zip	Lure archive used in US/Israel campaigns
File Name	Portable platform.zip	Lure archive used in US MiniJunk V2 campaign

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in