{"id":13129,"date":"2026-05-25T10:03:43","date_gmt":"2026-05-25T10:03:43","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/25\/miniupdate-rat-uses-azure-hosted-c2-domains-for-targeted-espionage-campaigns\/"},"modified":"2026-05-25T10:03:43","modified_gmt":"2026-05-25T10:03:43","slug":"miniupdate-rat-uses-azure-hosted-c2-domains-for-targeted-espionage-campaigns","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/25\/miniupdate-rat-uses-azure-hosted-c2-domains-for-targeted-espionage-campaigns\/","title":{"rendered":"MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns"},"content":{"rendered":"

MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A new wave of targeted espionage attacks has put technology professionals across the United States, Israel, and the United Arab Emirates on high alert. <\/p>\n

The threat comes from an Iran-linked hacking group deploying two families of remote access trojans through cleverly disguised recruitment lures and fake software installers. <\/p>\n

The campaign began as early as mid-February 2026 and continued expanding, with fresh samples appearing as recently as mid-April. Researchers believe the surge closely follows a Middle East regional conflict that started on February 28, 2026.<\/a><\/p>\n

The group behind these intrusions is tracked as Screening Serpens, also known by the aliases UNC1549, Smoke Sandstorm, and Iranian Dream Job. <\/p>\n

It has been active since at least 2022 and historically focused on Middle Eastern targets before expanding into Western Europe in late 2025. Six newly discovered RAT variants have been grouped into two malware families: a new one called MiniUpdate, and an upgraded tool called MiniJunk V2. <\/p>\n

Analysts at Unit 42 identified these variants and assessed with moderate-high confidence that Screening Serpens is behind the operation.<\/a><\/p>\n

Unit 42\u00a0said in a report<\/a> shared with Cyber Security News (CSN) that both families are delivered through spear-phishing lures impersonating trusted brands and hiring platforms. <\/p>\n

Victims receive fake job applications or spoofed meeting invitations<\/a> crafted to look completely genuine. Once a target opens the malicious archive and runs the included file, the infection chain quietly begins while the victim sees nothing unusual on screen.<\/a><\/p>\n

MiniUpdate RAT Uses Azure-Hosted C2 Domains<\/strong><\/h2>\n

The MiniUpdate RAT is the more technically advanced of the two families and uses a technique called AppDomainManager hijacking. <\/p>\n

By altering a legitimate configuration file, the malware instructs the .NET runtime to disable its own security features before the host application fully loads. The result is a payload running in an environment where standard security monitoring tools are already blinded.<\/a><\/p>\n

The configuration disables Event Tracing for Windows, a key telemetry source that security software uses to detect suspicious behavior, and also bypasses digital signature checks. <\/p>\n

The malware creates a scheduled task that fires daily at 09:30 local time, keeping it alive through system reboots. Command and control traffic routes through Azure-hosted domains<\/a> assigned to each specific target, preventing any single detection point from exposing the broader infrastructure.<\/p>\n

\n
\"Contents
Contents of the archive (Source \u2013 Unit42)<\/figcaption><\/figure>\n<\/div>\n

The March U.S. campaign delivered the RAT inside an archive disguised as airline recruitment materials, complete with fake job descriptions for senior technical roles. <\/p>\n

\n
\"Spoofed
Spoofed Hiring Portal error window (Source \u2013 Unit42)<\/figcaption><\/figure>\n<\/div>\n

The Israel campaign that same month used an archive impersonating a video conferencing installer<\/a>, with a spoofed loading screen shown to the user while the malware silently deployed behind the scenes.<\/a><\/p>\n

MiniJunk V2: Obfuscated Backdoor Targeting Tech and Defense<\/strong><\/h2>\n

The MiniJunk V2 family, first spotted on February 17, 2026, takes a different approach to staying hidden. It inflates its file size to around 12 megabytes by embedding thousands of meaningless code strings from languages like Java and Python, pushing the file past the scanning limits of certain automated security tools. <\/p>\n

This also floods analysis software with irrelevant data, making manual investigation significantly harder.<\/a><\/p>\n

The malware uses two layers of DLL sideloading to deploy its payload and connects to five Azure-hosted command servers whose names are designed to resemble legitimate Windows service processes. <\/p>\n

\n
\"MiniJunk
MiniJunk V2 malware flow (Source \u2013 Unit42)<\/figcaption><\/figure>\n<\/div>\n

The March U.S. variant includes a hard-coded date check that prevents the RAT from activating before March 27, 2026, at 13:30 UTC, making early sandbox analysis nearly useless. <\/p>\n

A fake \u201cMeeting Room\u201d window is shown to the victim to keep attention away from what is running in the background.<\/a><\/p>\n

Security teams are advised to configure endpoint detection tools to flag DLL sideloading<\/a> and AppDomainManager hijacking as high-risk behaviors, rather than relying solely on known file signatures. <\/p>\n

Monitoring for trusted binaries that load unsigned or unrecognized modules adds an important detection layer against this type of attack. <\/p>\n

Organizations in aerospace, defense, telecommunications, and technology should treat unsolicited job-related archives or unexpected software update prompts with strong suspicion, as these remain the group\u2019s preferred entry points.<\/a><\/p>\n

Indicators of Compromise (IoCs):-<\/strong><\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type<\/th>\nIndicator<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
Domain<\/td>\nlicencemanagers.azurewebsites[.]net<\/td>\nMiniJunk V2 C2 domain<\/td>\n<\/tr>\n
Domain<\/td>\nLicenceSupporting.azurewebsites[.]net<\/td>\nMiniJunk V2 C2 domain<\/td>\n<\/tr>\n
Domain<\/td>\nPeerDistSvcManagers.azurewebsites[.]net<\/td>\nMiniJunk V2 C2 domain<\/td>\n<\/tr>\n
Domain<\/td>\nThemesManagers.azurewebsites[.]net<\/td>\nMiniJunk V2 C2 domain<\/td>\n<\/tr>\n
Domain<\/td>\nThemesProviderManagers.azurewebsites[.]net<\/td>\nMiniJunk V2 C2 domain<\/td>\n<\/tr>\n
Domain<\/td>\nNanoMatrix.azurewebsites[.]net<\/td>\nMiniJunk V2 US Campaign C2<\/td>\n<\/tr>\n
Domain<\/td>\nQuantumWeave.azurewebsites[.]net<\/td>\nMiniJunk V2 US Campaign C2<\/td>\n<\/tr>\n
Domain<\/td>\nElementShift.azurewebsites[.]net<\/td>\nMiniJunk V2 US Campaign C2<\/td>\n<\/tr>\n
Domain<\/td>\nbuisness-centeral.azurewebsites[.]net<\/td>\nMiniUpdate C2 domain<\/td>\n<\/tr>\n
Domain<\/td>\nbuisness-centeral-transportation.azurewebsites[.]net<\/td>\nMiniUpdate C2 domain<\/td>\n<\/tr>\n
Domain<\/td>\nBuisness-centeral-transportation[.]com<\/td>\nMiniUpdate C2 domain<\/td>\n<\/tr>\n
Domain<\/td>\nPremierHealthAdvisory[.]com<\/td>\nMiniUpdate UAE Campaign C2<\/td>\n<\/tr>\n
Domain<\/td>\nPremierHealthAdvisory.azurewebsites[.]net<\/td>\nMiniUpdate UAE Campaign C2<\/td>\n<\/tr>\n
Domain<\/td>\nPremier-HealthAdvisory.azurewebsites[.]net<\/td>\nMiniUpdate UAE Campaign C2<\/td>\n<\/tr>\n
Domain<\/td>\nRamiltonsfinance[.]com<\/td>\nMiniUpdate Middle East Campaign C2<\/td>\n<\/tr>\n
Domain<\/td>\nRamiltonsfinance.azurewebsites[.]net<\/td>\nMiniUpdate Middle East Campaign C2<\/td>\n<\/tr>\n
Domain<\/td>\nRamiltons-finance.azurewebsites[.]net<\/td>\nMiniUpdate Middle East Campaign C2<\/td>\n<\/tr>\n
Domain<\/td>\nbusiness-startup[.]org<\/td>\nScreening Serpens infrastructure<\/td>\n<\/tr>\n
Domain<\/td>\nbusiness-startup.azurewebsites[.]net<\/td>\nScreening Serpens infrastructure<\/td>\n<\/tr>\n
Domain<\/td>\ndocspace-y4cumb.onlyoffice[.]com<\/td>\nPayload delivery host (ONLYOFFICE)<\/td>\n<\/tr>\n
Domain<\/td>\ndocspace-twpf0e.onlyoffice[.]com<\/td>\nPayload delivery host (ONLYOFFICE)<\/td>\n<\/tr>\n
URL<\/td>\nhxxps[:]\/\/docspace-y4cumb.onlyoffice[.]com\/storage\/files\/root\/folder_3602000\/file_3601577\/v1\/content.zip<\/td>\nMiniJunk V2 payload delivery URL<\/td>\n<\/tr>\n
URL<\/td>\nhxxps[:]\/\/docspace-twpf0e.onlyoffice[.]com\/storage\/files\/root\/folder_3765000\/file_3764519\/v1\/content.zip<\/td>\nMiniJunk V2 US campaign delivery URL<\/td>\n<\/tr>\n
URL<\/td>\nhxxps[:]\/\/2117.filemail[.]com\/api\/file\/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm<\/td>\nMiniUpdate Israel campaign payload URL<\/td>\n<\/tr>\n
SHA256<\/td>\n44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250<\/td>\nMiniUpdate US campaign \u2013 initial archive<\/td>\n<\/tr>\n
SHA256<\/td>\n332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17<\/td>\nMiniUpdate US campaign \u2013 Hiring Portal.zip<\/td>\n<\/tr>\n
SHA256<\/td>\n0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864<\/td>\nMiniUpdate US campaign \u2013 UpdateChecker.dll<\/td>\n<\/tr>\n
SHA256<\/td>\n38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d<\/td>\nMiniUpdate Israel campaign \u2013 initial archive<\/td>\n<\/tr>\n
SHA256<\/td>\nd4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2<\/td>\nMiniUpdate Israel campaign \u2013 UpdateChecker.dll<\/td>\n<\/tr>\n
SHA256<\/td>\nbc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad<\/td>\nMiniUpdate UAE\/Middle East \u2013 UpdateChecker.dll<\/td>\n<\/tr>\n
SHA256<\/td>\n74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27<\/td>\nMiniUpdate Middle East campaign<\/td>\n<\/tr>\n
SHA256<\/td>\n9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84<\/td>\nMiniJunk V2 Middle East \u2013 uevmonitor.dll<\/td>\n<\/tr>\n
SHA256<\/td>\nb19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4<\/td>\nMiniJunk V2 Middle East \u2013 unbcl.dll<\/td>\n<\/tr>\n
SHA256<\/td>\n8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b<\/td>\nMiniJunk V2 US campaign \u2013 Portable Platform.zip<\/td>\n<\/tr>\n
SHA256<\/td>\n43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa<\/td>\nMiniJunk V2 US campaign \u2013 Connection.dll<\/td>\n<\/tr>\n
SHA256<\/td>\n9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1<\/td>\nMiniJunk V2 US campaign \u2013 unbcl.dll<\/td>\n<\/tr>\n
File Name<\/td>\nUpdateChecker.dll<\/td>\nMiniUpdate RAT core payload<\/td>\n<\/tr>\n
File Name<\/td>\nuevmonitor.dll<\/td>\nMiniJunk V2 primary loader DLL<\/td>\n<\/tr>\n
File Name<\/td>\nConnection.dll<\/td>\nMiniJunk V2 US campaign RAT payload<\/td>\n<\/tr>\n
File Name<\/td>\nHiring Portal.zip<\/td>\nLure archive used in US\/Israel campaigns<\/td>\n<\/tr>\n
File Name<\/td>\nPortable platform.zip<\/td>\nLure archive used in US MiniJunk V2 campaign<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Note:<\/strong>\u00a0IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em>[.]<\/em><\/code>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n

The post MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns A new wave of targeted espionage attacks has put technology professionals across the United States, Israel, and the United Arab Emirates on high alert. The threat comes from an Iran-linked hacking group deploying two families of remote access trojans through cleverly disguised recruitment lures and […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13129","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13129"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13129"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13129\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}