Iranian Hackers Exploit Azure for Stealthy Espionage Attacks
A sophisticated cyber espionage campaign has emerged, targeting technology professionals in the United States, Israel, and the United Arab Emirates. This operation, attributed to the Iran-linked hacking group known as Screening Serpens (also referred to as UNC1549, Smoke Sandstorm, and Iranian Dream Job), employs advanced remote access trojans (RATs) to infiltrate systems under the guise of legitimate recruitment and software installation processes.
Campaign Overview
The campaign commenced in mid-February 2026, coinciding with escalating regional tensions in the Middle East. By mid-April, researchers had identified new malware samples, indicating the operation’s expansion. Screening Serpens, active since at least 2022, initially focused on Middle Eastern targets before extending its reach to Western Europe in late 2025.
Malware Families: MiniUpdate and MiniJunk V2
Analysts have identified six new RAT variants categorized into two families: MiniUpdate and MiniJunk V2. These malware strains are disseminated through spear-phishing campaigns that impersonate reputable brands and hiring platforms. Victims receive deceptive job applications or counterfeit meeting invitations, leading them to download malicious archives. Upon execution, these files initiate the infection process while displaying innocuous content to the user.
MiniUpdate RAT: Advanced Evasion Techniques
The MiniUpdate RAT employs AppDomainManager hijacking, a method that manipulates the .NET runtime environment to disable security features before the host application fully loads. This technique effectively blinds standard security monitoring tools. By modifying legitimate configuration files, the malware disables Event Tracing for Windows—a critical telemetry source for detecting suspicious activities—and bypasses digital signature checks.
To maintain persistence, MiniUpdate schedules daily tasks at 09:30 local time, ensuring its operation through system reboots. Notably, it utilizes Azure-hosted domains for command and control (C2) communications, assigning unique domains to each target. This strategy complicates detection and mitigation efforts, as it prevents a single point of failure from exposing the entire infrastructure.
In March, the campaign targeted U.S. professionals with archives masquerading as airline recruitment materials, including fabricated job descriptions for senior technical positions. Simultaneously, Israeli targets received archives posing as video conferencing software installers, complete with spoofed loading screens to mask the malware deployment.
MiniJunk V2: Obfuscated Backdoor
First detected on February 17, 2026, MiniJunk V2 represents an evolution of previous malware versions, featuring enhanced obfuscation techniques to evade detection. This backdoor targets technology and defense sectors, underscoring the strategic intent of Screening Serpens to infiltrate critical industries.
Implications and Recommendations
The use of Azure-hosted domains for C2 operations signifies a shift towards leveraging legitimate cloud services to obscure malicious activities. This approach not only complicates detection but also challenges traditional mitigation strategies.
Organizations are advised to implement robust email filtering to intercept spear-phishing attempts and to educate employees on recognizing deceptive communications. Regularly updating security protocols and conducting comprehensive system audits can aid in identifying and mitigating such sophisticated threats.
