
Screening Serpens 2026 Multi-Country Espionage Campaigns
Indicators of Compromise
APT Groups1
Summary of Actor:UNC1549 is a financially-motivated threat actor known for its ransomware operations. They have been active in targeting high-value organizations, leveraging sophisticated techniques to compromise systems. General Features:UNC1549 specializes in ransomware attacks, often employing advanced persistence mechanisms and data exfiltration techniques before deploying ransomware. They are known for their ability to move laterally within networks and evade detection. Related Other Groups: FIN12,Wizard Spider Indicators of Attack (IoA): Suspicious use of administrative tools Unusual network traffic patterns Data exfiltration to external servers Ransomware notes left on compromised systems Recent Activities and Trends: Latest Campaigns : UNC1549 was recently linked to a high-profile ransomware attack on a major healthcare provider, resulting in significant data breaches and operational disruptions. Emerging Trends : There is a noticeable shift towards targeting critical infrastructure and adopting double extortion tactics, where data is not only encrypted but also exfiltrated and threatened to be published unless ransom is paid.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
Immediate Actions
Scan all endpoints for scheduled tasks referencing AppData paths (e.g. \bin\update\update.exe, WindowsSecurityUpdate, Synchronize OS). Remove any task not created by authorised IT tooling.
Search EDR telemetry for .config files containing <etwEnable enabled='false'/>, <bypassTrustedAppStrongNames enabled='true'/> or <publisherPolicy apply='no'/>.
Block all listed C2 domains at DNS and firewall. A single resolution of any listed domain from a build or production host is a high-confidence indicator of compromise.
Quarantine UpdateChecker.dll, unbcl.dll, Connection.dll and uevmonitor.dll if found under %APPDATA% subdirectories.
Rotate credentials for any user who executed an archive delivered via ONLYOFFICE DocSpace or filemail.com between February and April 2026.
Short-Term Hardening
Deploy WDAC or AppLocker to block unsigned DLL execution from %APPDATA%, %TEMP% and %DOWNLOADS%.
Enable Microsoft-Windows-DotNETRuntime ETW provider in SIEM; alert on runtime disablement or abnormal assembly load.
Enforce email and web-gateway policies to quarantine double-nested ZIP archives from external senders.
Implement DNS filtering for newly registered Azure subdomains not associated with known business services. SOCRadar Attack Surface Management surfaces anomalous domain registrations in your sector.
Long-Term Posture
Run phishing-simulation exercises using Screening Serpens recruitment lure templates to harden employee recognition of Iranian Dream Job tactics.
Integrate SOCRadar Threat Intelligence feeds covering Screening Serpens / UNC1549 infrastructure patterns (Azure C2, ONLYOFFICE DocSpace, sector-brand impersonation) into SIEM/SOAR playbooks.
Enable SOCRadar Dark Web Monitoring to detect credential exposure from target sectors: aerospace, defense, technology and telecommunications.
DETECTIONS
Behavioral and signature-based detection rules mapped to observed TTPs. ATT&CK T-codes link to the MITRE ATT&CK knowledge base. Add listed Azure C2 domains to SOCRadar IOC Radar for continuous infrastructure monitoring.
Det. ID | ATT&CK ID | Rule Name | Rule Type | Detection Logic | Severity |
|---|---|---|---|---|---|
DET0001 | AppDomainManager Config Abuse | File / EDR | Alert on .config files in user-writable directories containing 'etwEnable', 'bypassTrustedAppStrongNames' or 'publisherPolicy'. Correlate with subsequent .NET assembly load. | Critical | |
DET0002 | Suspicious Scheduled Task via svchost | Event Log | Monitor Event ID 4698. Alert when task action references %APPDATA% path AND creating process is svchost.exe — the MiniUpdate InitInstall.dll persistence signature. | Critical | |
DET0003 | Unsigned DLL Loaded from AppData | EDR / Process | Detect unsigned DLLs (UpdateChecker.dll, unbcl.dll, Connection.dll, uevmonitor.dll, Updater.dll) loaded from %APPDATA% by a legitimately signed executable. | High | |
DET0004 | Azure C2 Domain Beaconing | DNS / Proxy | Alert on DNS or HTTPS to: buisness-centeral*.azurewebsites.net, PremierHealthAdvisory*, Ramiltonsfinance*, licencemanagers*, ThemesManagers*, NanoMatrix*, QuantumWeave*, ElementShift*. | Critical | |
DET0005 | Nested ZIP with Job-Requisition PDFs | Email / Endpoint | Detect ZIP archives containing nested Hiring Portal.zip or Portal.zip alongside PDFs with job-ID naming patterns. Flag delivery from ONLYOFFICE DocSpace URLs. | High | |
DET0006 | Sandbox Evasion via Parent Process Check | EDR / Behavior | Alert when a .NET binary launched by scheduled task exits immediately if parent is not svchost.exe — Updater.dll gatekeeper pattern in MiniUpdate Stage 3. | High | |
DET0007 | ROT13 + Byte-Reversal Config Decryption | Memory / EDR | Hunt for .NET assemblies decrypting configuration strings via ROT13 + byte-reversal in a static constructor — InitInstall.dll's two-step cipher for C2 config. | High | |
DET0008 | Chunked File Upload to Azure C2 | NetFlow / Proxy | Alert on repeated HTTPS POST sequences to same azurewebsites.net subdomain from update.exe — indicates MiniUpdate chunked-exfiltration opcode (added April variants). | High | |
DET0009 | setup.exe Renamed in AppData | File / EDR | Detect setup.exe renamed to update.exe under %APPDATA%\[vendor]\bin\update\ co-located with .config containing AppDomainManager evasion directives. | High | |
DET0010 | Oversized DLL with Junk String Patterns | Static / EDR | Flag DLLs > 8 MB loaded from AppData where .rdata contains repeating Java/Python/SQL exception strings every 0x1E50 bytes — MiniJunk V2 size-inflation signature. | Medium |