Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.
Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.
Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Their infection chains begin with targeted spear phishing lures, leveraging DLL sideloading for execution.
For persistence, the malware used Windows Task Scheduler, creating a daily trigger at 09:30 local time.
Arbitrary command execution: Executes shell commands via cmd.exe /c
MiniUpdate stores all API names, C2 domains and endpoints in plaintext within the .rdata section.
The threat actor employed a .NET-specific code execution technique known as AppDomainManager hijacking. This method allows the attackers to hijack the execution flow of a legitimate application by manipulating its configuration file, granting them arbitrary code execution before the host application even starts.
Across all samples, the threat actor uses junk code and padding to artificially inflate the file size, successfully bypassing endpoint detection and scanning limits.
Attackers mimicked legitimate corporate job applications by including specific job IDs... The threat actor rotated the C2 domains to impersonate a health sector entity... and a financial sector entity.
Dynamic code execution: Loads arbitrary DLLs directly into memory to run specific exported functions
Persistence: Creates a logon-triggered scheduled task named WindowsSecurityUpdate, with built-in capabilities to remove or reinstall this task.
This effectively hollows out the legitimate Microsoft process, allowing the next payload, Updater.dll, to load into an unmonitored memory space.
Sandbox evasion: It checks if the parent process is svchost.exe. Because the malware relies on a scheduled task to launch, svchost is the natural parent. If a security analyst or automated sandbox executes the file directly, this check will fail and the malware will silently terminate.
Sandbox evasion: It checks if the parent process is svchost.exe . Because the malware relies on a scheduled task to launch, svchost is the natural parent. If a security analyst or automated sandbox executes the file directly, this check will fail and the malware will silently terminate.
The threat actor employed a .NET-specific code execution technique known as AppDomainManager hijacking. This method allows the attackers to hijack the execution flow of a legitimate application by manipulating its configuration file, granting them arbitrary code execution before the host application even starts.
Process manipulation: Enumerates running processes and terminates them
The analyzed payload functions as a highly versatile backdoor, granting the attacker near-complete operational control over the compromised host's file system
Sandbox evasion: It checks if the parent process is svchost.exe. Because the malware relies on a scheduled task to launch, svchost is the natural parent. If a security analyst or automated sandbox executes the file directly, this check will fail and the malware will silently terminate.
Sandbox evasion: It checks if the parent process is svchost.exe . Because the malware relies on a scheduled task to launch, svchost is the natural parent. If a security analyst or automated sandbox executes the file directly, this check will fail and the malware will silently terminate.
The threat actor routes command and control (C2) traffic through a set of three to five unique domains, mostly hosted by Azure, dedicated to each target and variant. This technique prevents cross contamination to increase operational resiliency.
By adding a few targeted XML lines to the application’s config file, attackers instruct the .NET runtime to disable its own security features. They turn off Event Tracing for Windows (ETW), the primary data source that modern endpoint detection and response (EDR) platforms rely on to monitor .NET activity.
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan used by the Iran-linked group Screening Serpens/UNC1549 in spear-phishing campaigns. It is delivered via fake job portals or video conferencing installers, uses a multi-stage infection chain, leverages AppDomainManager hijacking to disable ETW and bypass strong-name validation, and persists via Windows Task Scheduler.
MiniUpdate is a multi-functional remote access trojan used by Screening Serpens in espionage campaigns. It uses DLL sideloading and AppDomainManager hijacking to disable .NET security telemetry, establish persistence via scheduled tasks, execute shell commands, load DLLs in memory, manipulate processes, and exfiltrate files including chunked uploads.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.