Iran-Linked Screening Serpens Deploys MiniUpdate and MiniJunk V2 RATs in Espionage Campaign Targeting Tech Professionals
Iran-linked threat actor Screening Serpens is using two new RAT families—MiniUpdate and MiniJunk V2—in spear-phishing campaigns targeting tech professionals in the US, Israel, and UAE.
A new wave of targeted espionage attacks has put technology professionals across the United States, Israel, and the United Arab Emirates on high alert. The threat comes from an Iran-linked hacking group deploying two families of remote access trojans through cleverly disguised recruitment lures and fake software installers. The campaign began as early as mid-February 2026 and continued expanding, with fresh samples appearing as recently as mid-April. Researchers believe the surge closely follows a Middle East regional conflict that started on February 28, 2026.
The group behind these intrusions is tracked as Screening Serpens, also known by the aliases UNC1549, Smoke Sandstorm, and Iranian Dream Job. It has been active since at least 2022 and historically focused on Middle Eastern targets before expanding into Western Europe in late 2025. Six newly discovered RAT variants have been grouped into two malware families: a new one called MiniUpdate, and an upgraded tool called MiniJunk V2. Analysts at Unit 42 identified these variants and assessed with moderate-high confidence that Screening Serpens is behind the operation.
Both families are delivered through spear-phishing lures impersonating trusted brands and hiring platforms. Victims receive fake job applications or spoofed meeting invitations crafted to look completely genuine. Once a target opens the malicious archive and runs the included file, the infection chain quietly begins while the victim sees nothing unusual on screen. The MiniUpdate RAT is the more technically advanced of the two families and uses a technique called AppDomainManager hijacking. By altering a legitimate configuration file, the malware instructs the .NET runtime to disable its own security features before the host application fully loads. The result is a payload running in an environment where standard security monitoring tools are already blinded. The configuration disables Event Tracing for Windows, a key telemetry source that security software uses to detect suspicious behavior, and also bypasses digital signature checks. The malware creates a scheduled task that fires daily at 09:30 local time, keeping it alive through system reboots. Command and control traffic routes through Azure-hosted domains assigned to each specific target, preventing any single detection point from exposing the broader infrastructure.
The March U.S. campaign delivered the RAT inside an archive disguised as airline recruitment materials, complete with fake job descriptions for senior technical roles. The Israel campaign that same month used an archive impersonating a video conferencing installer, with a spoofed loading screen shown to the user while the malware silently deployed behind the scenes. The MiniJunk V2 family, first spotted on February 17, 2026, takes a different approach to staying hidden. It inflates its file size to around 12 megabytes by embedding thousands of meaningless code strings from languages like Java and Python, pushing the file past the scanning limits of certain automated security tools. This also floods analysis software with irrelevant data, making manual investigation significantly harder. The malware uses two layers of DLL sideloading to deploy its payload and connects to five Azure-hosted command servers whose names are designed to resemble legitimate Windows service processes. The March U.S. variant includes a hard-coded date check that prevents the RAT from activating before March 27, 2026, at 13:30 UTC, making early sandbox analysis nearly useless. A fake "Meeting Room" window is shown to the victim to keep attention away from what is running in the background.
Security teams are advised to configure endpoint detection tools to flag DLL sideloading and AppDomainManager hijacking as high-risk behaviors, rather than relying solely on known file signatures. Monitoring for trusted binaries that load unsigned or unrecognized modules adds an important detection layer against this type of attack. Organizations in aerospace, defense, telecommunications, and technology should treat unsolicited job-related archives or unexpected software update prompts with strong suspicion, as these remain the group's preferred entry points. Unit 42 has published a full set of indicators of compromise, including Azure-hosted domains used for C2 communication, to aid defenders in detecting and blocking this ongoing campaign.