"We discovered six new remote access Trojan (RAT) variants developed and deployed between February and April 2026," Unit 42 researchers wrote — a concise finding that frames a coordinated, multi-country espionage campaign attributed to an Iran‑nexus advanced persistent threat group the report calls Screening Serpens.
Six new RAT variants and two distinct malware families
Unit 42’s analysis groups the samples into two families: a newly identified MiniUpdate and an evolved MiniJunk tracked as MiniJunk V2. Across February–April 2026 the actor submitted samples to VirusTotal that indicate use against entities in the U.S., Israel, the United Arab Emirates and at least two other Middle Eastern countries. The MiniUpdate family is driven by an InitInstall.dll loader that stages UpdateChecker.dll, while MiniJunk V2 uses a uevmonitor.dll/unbcl.dll chain and a separate Connection.dll sample submitted on March 27, 2026.
Examples from the report include SHA256 hashes tied to the MiniUpdate campaigns (e.g., 44f4f7aca7f1...4250 for an initial archive and 0db36a04d304...c864 for UpdateChecker.dll) and MiniJunk V2 artifacts such as 9cf029daca89...da84 for uevmonitor.dll and 43dc62cef52e...dcfa for Connection.dll.
AppDomainManager hijacking: weaponizing .NET initialization
Screening Serpens combined traditional DLL sideloading with AppDomainManager hijacking — manipulating the .NET initialization configuration to execute attacker code before the host application’s main entry point. Unit 42 reproduces the specific XML directives used to silence and evade endpoint telemetry: , , and .
Those changes force local assembly probing, skip strong-name validation and disable Event Tracing for Windows (ETW), the researchers note, allowing InitInstall.dll and downstream loaders to run in an effectively unmonitored context and stage the MiniUpdate RAT family without triggering common in‑memory behavioral alerts.
Highly tailored social engineering: job lures, meeting invites and ONLYOFFICE decoys
The campaigns relied on deeply personalized lures aimed at technical professionals. Unit 42 documents multiple vectors: ZIP archives containing falsified job requisitions and a nested Hiring Portal.zip; spoofed video-conferencing meeting pages that delivered payloads by redirecting downloads to a third‑party file-sharing URL; and ONLYOFFICE DocSpace archives used as delivery points.
Specific examples include a meeting lure URL (hxxps[:]//app[redacted][.]live/meeting/edcdba624ddb43c2a1dcf334aa493068) that led victims to a cloned frontend triggering a malicious archive at hxxps[:]//2117.filemail[.]com/api/file/get?filekey=…; and ONLYOFFICE-hosted archives such as hxxps[:]//docspace-y4cumb.onlyoffice[.]com/.../content.zip used in the Portable platform.zip lure.
Timeline and geographic footprint tied to a regional conflict
Unit 42 maps a surge of coordinated activity to the regional conflict that began Feb. 28, 2026. The timeline in the report shows early indicators in mid‑February, a VirusTotal upload on Feb. 17 for a Middle Eastern target, March 26–27 submissions tied to potential U.S. and Israeli targets, and April 15–17 samples linked to the UAE and another Middle Eastern entity. The researchers say Screening Serpens maintained a high operational tempo through March and April 2026.
The actor employed target‑specific domain rotations and per‑target command‑and‑control (C2) sets — for example, MiniUpdate variants rotated to domains impersonating a health‑sector entity (PremierHealthAdvisory[.]com and Azure-hosted variants) and a financial decoy (Ramiltonsfinance[.]com and Azure variants). Other C2 clusters include buisness-centeral.azurewebsites[.]net and NanoMatrix.azurewebsites[.]net.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Unit 42 recommends treating DLL sideloading and AppDomainManager hijacking as high‑risk behaviors. The report notes detection and prevention benefits from Advanced WildFire, Advanced URL Filtering and Cortex XDR; it also cites Cortex Cloud and Cortex AgentiX as tools that assisted investigation and protection in their environment.
- Policymakers and incident responders: The attribution and timeline — including submissions to VirusTotal and cross‑border targeting across the U.S., Israel, the UAE and other Middle Eastern entities — underline the transnational character of the campaigns and the observable link to the regional conflict beginning Feb. 28, 2026, which the report uses to explain the surge in operations.
- Affected enterprises and procurement leaders: The attackers’ use of stolen or impersonated digital signatures and brand impersonation (global air carrier, video-conferencing vendor, health and finance brands) argues for tightened controls over supply chain validation, application whitelisting, and forensics on signed binaries that suddenly load unsigned modules.
Unit 42’s record shows a group that refined a known sideloading playbook and fused it with .NET configuration‑level evasion to preempt typical endpoint telemetry. The tools and timelines they document — two malware families, six new RAT variants, domain rotations and date‑gated payloads — leave little doubt the actor has adapted to operate at scale. Defenders now face the specific technical challenge of detecting trusted processes that have been hollowed out by legitimate‑appearing .config directives; the report’s practical verdict is blunt: ensure EDRs spot sideloading and AppDomainManager hijacking and treat those executions as immediate, high‑risk incidents.
Original report: https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/




