Listen to this Post

Introduction:
The latest espionage campaign by Iranian state‑nexus advanced persistent threat (APT) actor Screening Serpens (also known as UNC1549, Smoke Sandstorm and Iranian Dream Job) demonstrates a dangerous leap in evasion capabilities. Using newly identified MiniUpdate and MiniJunk V2 remote access trojans (RATs), the group has targeted technology professionals in the United States, Israel and the United Arab Emirates. These attacks, which coincide with recent Middle East regional conflicts, rely on Azure‑hosted command‑and‑control (C2) domains and a .NET runtime hijacking technique that disables core security telemetry before the malware even executes.
Learning Objectives:
- Identify the key tactics, techniques and procedures (TTPs) of the MiniUpdate RAT, including AppDomainManager hijacking and ETW silencing.
- Detect Azure‑hosted C2 infrastructure and indicators of compromise (IOCs) associated with UNC1549 campaigns.
- Apply active defence measures – process monitoring, scheduled task review and YARA rules – to block and hunt for the malware.
You Should Know:
- AppDomainManager Hijacking – How Attackers Kill Your EDR Before the Malware Starts
MiniUpdate’s most dangerous innovation is a native .NET configuration technique that disables security mechanisms at the Common Language Runtime (CLR) level. By adding a few XML lines to a legitimate application’s `.config` file, the attacker forces the CLR to:
- Disable Event Tracing for Windows (
<etwEnable enabled="false"/>), cutting the primary telemetry feed for modern EDR solutions. - Bypass strong‑name signature validation (
<bypassTrustedAppStrongNames enabled="true"/>), allowing unsigned DLLs to load silently. - Suppress publisher policy redirections (
<publisherPolicy apply="no"/>), ensuring the malicious assembly overrides system patches. - Lock a specific .NET runtime version (
<requiredRuntime safemode="true" ... />), preventing crashes that would alert the user.
This “living‑off‑the‑land” approach is stealthier than typical memory‑patching or API unhooking – the attacker simply asks the .NET runtime to switch off its own security.
Step‑by‑step guide – Detecting AppDomainManager Hijacking:
- Identify suspicious `.config` files that contain the above evasion directives. On Windows, search for all `.exe.config` files with the following content:
Get-ChildItem -Path C:\ -Filter ".exe.config" -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "<etwEnable enabled=\"false\"/>","<bypassTrustedAppStrongNames enabled=\"true\"/>"
- Monitor for unexpected `probing privatePath=”.”` directives – this tells .NET to load assemblies from the local directory, a hallmark of DLL sideloading:
<runtime><assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"><probing privatePath="."/></assemblyBinding></runtime>
- Use Sysmon Event ID 1 (process creation) to spot a legitimate Windows binary (e.g.,
update.exe) launching with an abnormal parent `svchost.exe` – MiniUpdate verifies that the parent is `svchost.exe` to avoid sandbox detection. -
On Linux, if analysing cross‑compiled samples or network captures, you can replicate the detection by grepping for the same XML patterns in any unpacked payloads:
find / -name ".config" -exec grep -l "<etwEnable enabled=\"false\"/>" {} \; 2>/dev/null
- Hunting Azure‑Hosted C2 Domains – The Attacker’s Cloud Chameleon
Screening Serpens assigns each target a unique set of three to five C2 domains, most hosted on Azure Websites, and rotates them regularly to avoid cross‑contamination. The attacker impersonates legitimate sectors – healthcare, finance, technology – to blend into normal outbound traffic. Observed domain patterns include:
– `PremierHealthAdvisory[.]com` and `PremierHealthAdvisory.azurewebsites[.]net`
– `Ramiltonsfinance[.]com` and `Ramiltonsfinance.azurewebsites[.]net`
– `buisness-centeral.azurewebsites[.]net` and `NanoMatrix.azurewebsites[.]net`
The RAT communicates via HTTP GET requests to the `/agent/poll` endpoint, using a Chrome‑masked User‑Agent string.
Step‑by‑step guide – Detecting Azure‑based C2 traffic:
- Inspect Windows firewall or proxy logs for outbound connections to
.azurewebsites.net, especially from unexpected processes (update.exe,setup.exe).
Get-NetTCPConnection | Where-Object { $<em>.RemoteAddress -like ".azurewebsites.net" -and $</em>.State -eq "Established" }
- Use Zeek (formerly Bro) on a network sensor to extract HTTP hostnames and flag those ending in
.azurewebsites.net. A simple Zeek signature:
signature azure_c2 {
ip-proto == tcp
dst-port == 443
http-host-header /..azurewebsites.net/
event "Possible Azure-hosted C2 detected"
}
- On Linux hosts, use `tcpdump` with `grep` to capture suspicious TLS handshakes:
sudo tcpdump -i eth0 -n 'tcp port 443' -A -s 0 | grep -E "azurewebsites.net|.live|filemail.com"
- Cross‑reference DNS requests – add the following list of known MiniUpdate C2 domains to your SIEM or threat intelligence platform:
- PremierHealthAdvisory[.]com
- Ramiltonsfinance[.]com
- buisness-centeral-transportation[.]com
- NanoMatrix[.]azurewebsites[.]net
- QuantumWeave[.]azurewebsites[.]net
- Persistence and Payload Delivery – Scheduled Tasks and Fake Installers
The infection chain begins with a spear‑phishing email containing a malicious ZIP archive disguised as job requisitions or video‑conferencing installers. When the user runs setup.exe, the malware:
- Displays a fake installer loading spinner to distract the victim.
- Copies its components into `%localappdata%\…\bin\update` and renames `setup.exe` to
update.exe. - Creates a Windows scheduled task named `WindowsSecurityUpdate` that triggers daily at 09:30 and ensures persistence across reboots.
Later variants also break large files into chunks during exfiltration, reducing the likelihood of triggering network egress alerts.
Step‑by‑step guide – Eradicating persistence and hunting for scheduled tasks:
- List all scheduled tasks on an endpoint to spot tasks with suspicious triggers or command lines pointing to `AppData` paths:
Get-ScheduledTask | Where-Object {$<em>.TaskPath -like "WindowsSecurityUpdate" -or $</em>.Actions.Execute -like "AppData\Local\"}
- Disable or delete any illegitimate tasks immediately. Use:
Disable-ScheduledTask -TaskName "WindowsSecurityUpdate" Schtasks /Delete /TN "WindowsSecurityUpdate" /F
- On a compromised Linux system (if any cross‑platform components are deployed), check cron jobs and systemd timers for similar persistent backdoors:
crontab -l -u root | grep -i "update|check" systemctl list-timers --all | grep -i "update|windows"
- Use Autoruns for Windows (Sysinternals) to visualise all scheduled tasks, services, and registry run keys. Pay special attention to entries located under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. -
Command‑and‑Control Decoding – From `cmd.exe /c` to Chunked Exfiltration
Once active, the MiniUpdate RAT processes a 16‑ to 18‑opcode dispatcher that gives the attacker full control over the compromised host. Key commands include:
– `cmd.exe /c` execution – runs arbitrary shell commands.
– In‑memory DLL loading – executes exported functions without touching disk.
– Process enumeration and termination – kills security tools or competing malware.
– Chunked file upload – splits data into smaller segments to evade size‑based detection.
Step‑by‑step guide – Blocking and monitoring C2 communications:
- Use a network proxy or next‑generation firewall to block any HTTP POST requests to the `/api/app/update` or `/api/app/comment` endpoints. A sample Suricata rule:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MiniUpdate C2 beacon"; http.method; content:"POST"; http.uri; content:"/api/app/update"; nocase; sid:1000001; rev:1;)
- On Linux, monitor for outbound connections from processes named `update.exe` (running under Wine) that connect to Azure endpoints:
sudo ss -tupn | grep "ESTAB" | grep -E "update.exe|setup.exe" | grep -E "azurewebsites.net|:443"
- Implement YARA rules to scan for the plaintext strings found in the MiniUpdate samples. For example, look for the `UpdateChecker.dll` internal name or the `buisness-centeral` domains:
rule MiniUpdate_String_Indicator {
strings:
$s1 = "UpdateChecker.dll" nocase wide ascii
$s2 = "buisness-centeral" nocase wide ascii
$s3 = "/agent/poll" nocase ascii
condition: any of them
}
- Collect and analyse ETW telemetry – even though the malware disables ETW, you can enable ETW logging at the kernel level using
logman. Create a trace session that cannot be stopped by the attacker’s `etwEnable` directive:
logman create trace "PersistentETW" -p Microsoft-Windows-DotNETRuntime -o %SystemRoot%\ETWLog.etl logman start "PersistentETW"
5. MiniJunk V2 – The Over‑Inflated, Obfuscated Alternative
While MiniUpdate focuses on native evasion, MiniJunk V2 uses size‑based avoidance. The malware is inflated to about 12 MB by injecting thousands of junk strings (Java tracebacks, SQL queries, .NET exceptions) that repeat every 0x1E50 bytes. This pushes the payload past the file‑size limits of some automated sandboxes and floods string‑extraction tools with noise.
Step‑by‑step guide – Defeating MiniJunk V2’s smokescreen:
- Use `ssdeep` (fuzzy hashing) to identify the junk‑repeat pattern – a MiniJunk binary will exhibit many identical chunks at regular offsets.
ssdeep -b -m 0x1E50 suspicious_binary.exe
- Extract only non‑repeating bytes using a Python script that strips out the junk sections, then feed the cleaned version to a sandbox.
-
Look for the persistent scheduled task named `Synchronize OS` – this is a known artefact of the MiniJunk loader.
What Undercode Say:
- Key Takeaway 1: AppDomainManager hijacking is not a bug – it is a feature of .NET that attackers have weaponised to turn the runtime into an accomplice. Defenders must treat `.config` files as high‑value indicators and monitor for `etwEnable=false` and `bypassTrustedAppStrongNames=true` across all applications.
- Key Takeaway 2: Cloud‑hosted C2 domains are no longer just a luxury for threat actors – they are a core part of operational resilience. Azure’s trustworthiness and global presence make it an ideal hiding spot, and the attacker’s use of unique domain sets per target complicates shared‑threat intelligence. The only reliable detection is behavioural: look for unexpected processes reaching out to
.azurewebsites.net.
Expected Output:
- Proactive Hunting: Organisations should implement YARA rules for the plaintext C2 strings and monitor file system events for new `.config` files that contain the evasion flags.
- Network Hardening: Block all outbound traffic to `.azurewebsites.net` unless explicitly required for business, and use TLS inspection to examine the SNI fields of encrypted connections.
- Endpoint Hardening: Disable the ability for non‑administrative users to write `.config` files in application directories, and enforce that only signed assemblies can be loaded via Windows Defender Application Control (WDAC).
Prediction:
The use of legitimate cloud infrastructure and native runtime features for attack execution will only intensify. As Microsoft’s .NET and Azure become even more ubiquitous, threat actors will continue to refine AppDomainManager hijacking and other living‑off‑the‑land techniques, making traditional signature‑based detection obsolete. Future iterations of MiniUpdate may include encrypted or ephemeral C2 domains that rotate every few hours, leveraging serverless functions and API gateways to evade reputation‑based blocks. Defenders must shift their focus to behaviour‑based detection – monitoring for the absence of ETW events, the appearance of suspicious scheduled tasks, and the fingerprint of `.config` directives that tell the CLR to “blind itself”. The cat‑and‑mouse game has moved from the kernel to the runtime configuration file.
▶️ Related Video (92% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Varshu25 Hackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


