Iranian Hackers Exploit AppDomainManager Hijacking to Evade Detection
In a recent surge of cyber espionage activities, Iranian state-sponsored hackers have employed a sophisticated .NET hijacking technique known as AppDomainManager hijacking to bypass endpoint detection and response (EDR) systems. This campaign has targeted organizations across the United States, Israel, and the United Arab Emirates, with a notable increase in activity following regional conflicts that began on February 28, 2026.
Background and Threat Actor Profile
The threat group, identified as Screening Serpens—also known by aliases such as UNC1549, Smoke Sandstorm, and Iranian Dream Job—has been active since at least 2022. Initially focusing on Middle Eastern targets, the group expanded its operations into Western Europe in late 2025. Their primary targets include high-value sectors such as aerospace, defense manufacturing, and telecommunications. The attackers employ personalized social engineering tactics, utilizing fake job listings and spoofed meeting invitations to lure professionals into downloading malicious files.
Malware Deployment and Infection Chain
Between February and April 2026, security researchers identified six new remote access Trojan (RAT) variants deployed by this group, categorized into two distinct malware families: MiniUpdate and MiniJunk V2. Both families initiate their infection chains through spear-phishing campaigns. Victims receive emails containing links to what appear to be legitimate recruitment portals or video conferencing application installers. Upon interaction, a silent multi-stage infection process begins, granting attackers full control over the compromised systems.
Technical Analysis: AppDomainManager Hijacking
The most significant advancement in this campaign is the utilization of AppDomainManager hijacking. This technique exploits the initialization phase of .NET applications by modifying legitimate configuration files, allowing malicious code to execute before the host application fully loads. This early execution enables the malware to evade detection by most security tools.
By adding specific XML lines to the application’s configuration file, attackers instruct the .NET runtime to disable its own security features. This includes turning off Event Tracing for Windows (ETW), a primary data source for modern EDR platforms monitoring .NET activity. Additionally, they bypass strong-name signature validation, ensuring that unsigned DLL files load without triggering security exceptions.
This approach is considered a mature living-off-the-land technique, as it requires no complex shellcode or memory patching. The attackers leverage existing .NET functionalities to achieve their objectives, making detection and mitigation more challenging.
Implications and Recommendations
The adoption of AppDomainManager hijacking by Iranian threat actors underscores the evolving sophistication of cyber threats. Organizations in targeted sectors must enhance their cybersecurity measures to detect and prevent such advanced techniques.
Recommendations:
1. Enhanced Monitoring: Implement advanced monitoring solutions capable of detecting anomalies in application behavior, particularly during the initialization phases of .NET applications.
2. Configuration Integrity Checks: Regularly audit and verify the integrity of application configuration files to detect unauthorized modifications.
3. User Education: Conduct comprehensive training programs to educate employees about spear-phishing tactics and the importance of verifying the authenticity of emails and attachments.
4. Endpoint Security Solutions: Deploy robust endpoint security solutions that can detect and respond to sophisticated evasion techniques employed by advanced threat actors.
By adopting these measures, organizations can bolster their defenses against the increasingly sophisticated tactics employed by state-sponsored cyber adversaries.
