Iran-linked Screening Serpens Group Deploys MiniUpdate RAT via Azure C2

Iran-linked Screening Serpens Group Deploys MiniUpdate RAT via Azure C2

First seen 25 May 2026, 10:00 UTC GbhackersCybersecuritynews 83% similarity 72.5

Article Content

Browse articles
ThreatCluster

The Screening Serpens group, linked to Iran, has initiated a targeted espionage campaign using a new remote access Trojan (RAT) named MiniUpdate. This campaign primarily targets technology professionals in the United States, Israel, and the United Arab Emirates. The attacks utilize Azure-hosted command and control (C2) domains, employing deceptive recruitment lures and fake software installers to distribute the malware. The campaign reportedly began in mid-February 2026 and has raised significant concerns among cybersecurity experts due to its sophisticated methods. Screening Serpens has been active since at least 2022, indicating a long-term strategic focus on espionage. The exact number of affected individuals or organizations remains unclear, but the implications for national security are substantial.

Key Points: • The Screening Serpens group is linked to Iran and has been active since 2022. • MiniUpdate RAT is deployed via Azure-hosted C2 domains using deceptive tactics. • The campaign targets professionals in the US, Israel, and the UAE, raising national security concerns.

ThreatCluster AI

Timeline

2026-02-15
Espionage campaign begins
The Screening Serpens group starts deploying MiniUpdate RAT using Azure C2, targeting tech professionals.
Cybersecuritynews
2026-05-25
News articles published
Two articles detail the ongoing espionage campaign and the use of MiniUpdate RAT by Screening Serpens.
Gbhackers

Community

Browse all →