Campaigns
Screening Serpens  2026 Multi-Country Espionage Campaigns

Screening Serpens 2026 Multi-Country Espionage Campaigns

UNC1549Screening SerpensSmoke SandstormIranian Dream JobIran APTMiniUpdateMiniJunk V2
Screening Serpens is an Iran-nexus advanced persistent threat group conducting cyberespionage aligned with Iranian intelligence objectives. Between February and April 2026, coinciding directly with a regional conflict that began on 28 February 2026, the group deployed six new RAT variants across five countries grouped into two malware families: MiniUpdate (newly discovered) and MiniJunk V2 (evolved from the previously documented MiniJunk backdoor).

Indicators of Compromise

licencemanagers.azurewebsites.net
buisness-centeral.azurewebsites.net
ThemesManagers.azurewebsites.net
docspace-twpf0e.onlyoffice.com
LicenceSupporting.azurewebsites.net
business-startup.azurewebsites.net
Ramiltons-finance.azurewebsites.net
PremierHealthAdvisory.azurewebsites.net
Businessstartup.azurewebsites.net
Premier-HealthAdvisory.azurewebsites.net
business-startup.org
PremierHealthAdvisory.com
PeerDistSvcManagers.azurewebsites.net
QuantumWeave.azurewebsites.net
Ramiltonsfinance.com
Ramiltonsfinance.azurewebsites.net
docspace-y4cumb.onlyoffice.com
ThemesProviderManagers.azurewebsites.net
Buisness-centeral-transportation.com
buisness-centeral-transportation.azurewebsites.net
NanoMatrix.azurewebsites.net
ElementShift.azurewebsites.net

APT Groups1

UNC1549IR

Summary of Actor:UNC1549 is a financially-motivated threat actor known for its ransomware operations. They have been active in targeting high-value organizations, leveraging sophisticated techniques to compromise systems. General Features:UNC1549 specializes in ransomware attacks, often employing advanced persistence mechanisms and data exfiltration techniques before deploying ransomware. They are known for their ability to move laterally within networks and evade detection. Related Other Groups: FIN12,Wizard Spider Indicators of Attack (IoA): Suspicious use of administrative tools Unusual network traffic patterns Data exfiltration to external servers Ransomware notes left on compromised systems Recent Activities and Trends: Latest Campaigns : UNC1549 was recently linked to a high-profile ransomware attack on a major healthcare provider, resulting in significant data breaches and operational disruptions. Emerging Trends : There is a noticeable shift towards targeting critical infrastructure and adopting double extortion tactics, where data is not only encrypted but also exfiltrated and threatened to be published unless ransom is paid.

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

Immediate Actions

  • Scan all endpoints for scheduled tasks referencing AppData paths (e.g. \bin\update\update.exe, WindowsSecurityUpdate, Synchronize OS). Remove any task not created by authorised IT tooling.

  • Search EDR telemetry for .config files containing <etwEnable enabled='false'/>, <bypassTrustedAppStrongNames enabled='true'/> or <publisherPolicy apply='no'/>.

  • Block all listed C2 domains at DNS and firewall. A single resolution of any listed domain from a build or production host is a high-confidence indicator of compromise.

  • Quarantine UpdateChecker.dll, unbcl.dll, Connection.dll and uevmonitor.dll if found under %APPDATA% subdirectories.

  • Rotate credentials for any user who executed an archive delivered via ONLYOFFICE DocSpace or filemail.com between February and April 2026.

Short-Term Hardening

  • Deploy WDAC or AppLocker to block unsigned DLL execution from %APPDATA%, %TEMP% and %DOWNLOADS%.

  • Enable Microsoft-Windows-DotNETRuntime ETW provider in SIEM; alert on runtime disablement or abnormal assembly load.

  • Enforce email and web-gateway policies to quarantine double-nested ZIP archives from external senders.

  • Implement DNS filtering for newly registered Azure subdomains not associated with known business services. SOCRadar Attack Surface Management surfaces anomalous domain registrations in your sector.

Long-Term Posture

  • Run phishing-simulation exercises using Screening Serpens recruitment lure templates to harden employee recognition of Iranian Dream Job tactics.

  • Integrate SOCRadar Threat Intelligence feeds covering Screening Serpens / UNC1549 infrastructure patterns (Azure C2, ONLYOFFICE DocSpace, sector-brand impersonation) into SIEM/SOAR playbooks.

  • Enable SOCRadar Dark Web Monitoring to detect credential exposure from target sectors: aerospace, defense, technology and telecommunications.

DETECTIONS

Behavioral and signature-based detection rules mapped to observed TTPs. ATT&CK T-codes link to the MITRE ATT&CK knowledge base. Add listed Azure C2 domains to SOCRadar IOC Radar for continuous infrastructure monitoring.

Det. ID

ATT&CK ID

Rule Name

Rule Type

Detection Logic

Severity

DET0001

T1574.014

AppDomainManager Config Abuse

File / EDR

Alert on .config files in user-writable directories containing 'etwEnable', 'bypassTrustedAppStrongNames' or 'publisherPolicy'. Correlate with subsequent .NET assembly load.

Critical

DET0002

T1053.005

Suspicious Scheduled Task via svchost

Event Log

Monitor Event ID 4698. Alert when task action references %APPDATA% path AND creating process is svchost.exe — the MiniUpdate InitInstall.dll persistence signature.

Critical

DET0003

T1574.001

Unsigned DLL Loaded from AppData

EDR / Process

Detect unsigned DLLs (UpdateChecker.dll, unbcl.dll, Connection.dll, uevmonitor.dll, Updater.dll) loaded from %APPDATA% by a legitimately signed executable.

High

DET0004

T1071.001

Azure C2 Domain Beaconing

DNS / Proxy

Alert on DNS or HTTPS to: buisness-centeral*.azurewebsites.net, PremierHealthAdvisory*, Ramiltonsfinance*, licencemanagers*, ThemesManagers*, NanoMatrix*, QuantumWeave*, ElementShift*.

Critical

DET0005

T1566.001

Nested ZIP with Job-Requisition PDFs

Email / Endpoint

Detect ZIP archives containing nested Hiring Portal.zip or Portal.zip alongside PDFs with job-ID naming patterns. Flag delivery from ONLYOFFICE DocSpace URLs.

High

DET0006

T1497.001

Sandbox Evasion via Parent Process Check

EDR / Behavior

Alert when a .NET binary launched by scheduled task exits immediately if parent is not svchost.exe — Updater.dll gatekeeper pattern in MiniUpdate Stage 3.

High

DET0007

T1140

ROT13 + Byte-Reversal Config Decryption

Memory / EDR

Hunt for .NET assemblies decrypting configuration strings via ROT13 + byte-reversal in a static constructor — InitInstall.dll's two-step cipher for C2 config.

High

DET0008

T1041

Chunked File Upload to Azure C2

NetFlow / Proxy

Alert on repeated HTTPS POST sequences to same azurewebsites.net subdomain from update.exe — indicates MiniUpdate chunked-exfiltration opcode (added April variants).

High

DET0009

T1036.005

setup.exe Renamed in AppData

File / EDR

Detect setup.exe renamed to update.exe under %APPDATA%\[vendor]\bin\update\ co-located with .config containing AppDomainManager evasion directives.

High

DET0010

T1027

Oversized DLL with Junk String Patterns

Static / EDR

Flag DLLs > 8 MB loaded from AppData where .rdata contains repeating Java/Python/SQL exception strings every 0x1E50 bytes — MiniJunk V2 size-inflation signature.

Medium

Observed Countries3

AE (107)
IL (536)
US (537)