Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.
Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.
Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Their infection chains begin with targeted spear phishing lures, leveraging DLL sideloading for execution.
InitInstall.dll leverages Windows Task Scheduler to ensure the payload survives reboots. It creates a scheduled task that is configured to trigger every day at 09:30 local time.
MiniUpdate stores all API names, C2 domains and endpoints in plaintext within the .rdata section.
The threat actor employed a .NET-specific code execution technique known as AppDomainManager hijacking. This method allows the attackers to hijack the execution flow of a legitimate application by manipulating its configuration file, granting them arbitrary code execution before the host application even starts.
The MiniJunk V2 family used an older configuration method but added heavy code obfuscation and file size inflation to bypass automated scanning limits.
Attackers mimicked legitimate corporate job applications by including specific job IDs... The threat actor rotated the C2 domains to impersonate a health sector entity... and a financial sector entity.
This effectively hollows out the legitimate Microsoft process, allowing the next payload, Updater.dll, to load into an unmonitored memory space.
Sandbox evasion: It checks if the parent process is svchost.exe. Because the malware relies on a scheduled task to launch, svchost is the natural parent. If a security analyst or automated sandbox executes the file directly, this check will fail and the malware will silently terminate.
It performs a hard-coded date-based validity check to ensure that the RAT runs on any date that is after March 27, 2026, 13:30:00 UTC.
The threat actor employed a .NET-specific code execution technique known as AppDomainManager hijacking. This method allows the attackers to hijack the execution flow of a legitimate application by manipulating its configuration file, granting them arbitrary code execution before the host application even starts.
The analyzed payload functions as a highly versatile backdoor, granting the attacker near-complete operational control over the compromised host's file system
Sandbox evasion: It checks if the parent process is svchost.exe. Because the malware relies on a scheduled task to launch, svchost is the natural parent. If a security analyst or automated sandbox executes the file directly, this check will fail and the malware will silently terminate.
The threat actor routes command and control (C2) traffic through a set of three to five unique domains, mostly hosted by Azure, dedicated to each target and variant. This technique prevents cross contamination to increase operational resiliency.
By adding a few targeted XML lines to the application’s config file, attackers instruct the .NET runtime to disable its own security features. They turn off Event Tracing for Windows (ETW), the primary data source that modern endpoint detection and response (EDR) platforms rely on to monitor .NET activity.
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan family used by the Iran-linked group Screening Serpens/UNC1549. It is delivered through spear-phishing archives, uses an older configuration method combined with heavy code obfuscation and file size inflation to evade scanning, and routes command-and-control traffic through Azure-hosted domains masquerading as legitimate Windows service names.
MiniJunk V2 is an evolved RAT family used by Screening Serpens. It is delivered through spear-phishing and DLL sideloading, uses scheduled-task persistence, heavily obfuscated code, Azure-hosted C2 infrastructure, and supports victim registration, command retrieval, payload download, and data exfiltration.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.