Iranian Hackers Use AppDomainManager Hijacking to Evade EDR Detection
Severity: High (Score: 73.2)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: hackers, iranian, appdomainmanager, hijacking, detection, their, endpoint
Summary
Iranian hackers have employed AppDomainManager hijacking in .NET applications to disable security telemetry and evade endpoint detection and response (EDR) tools. This advanced technique is linked to the Iran-nexus group Screening Serpens and is combined with DLL sideloading and fake job lures. The campaign primarily targets organizations in the United States, Israel, and the United Arab Emirates, intensifying after a regional conflict that began on February 28, 2026. The attack's sophistication raises concerns about the effectiveness of current EDR solutions against such tactics. Specific numbers and CVEs were not disclosed in the articles, but the implications for affected systems are significant. Key Points: • Iranian hackers are using AppDomainManager hijacking to bypass EDR tools. • The campaign targets organizations in the U.S., Israel, and the UAE, linked to a recent regional conflict. • This sophisticated attack method complicates detection and response efforts for cybersecurity teams.
Detailed Analysis
**Impact** Organizations in the United States, Israel, and the United Arab Emirates are targeted by this campaign. The attack affects sectors involved in regional geopolitical interests, with potential compromise of sensitive operational and intelligence data. The scope includes multiple entities linked to ongoing regional conflicts since February 28, 2026, increasing risks to national security and critical infrastructure. **Technical Details** The attackers use AppDomainManager hijacking in .NET applications to disable security telemetry early in execution, combined with DLL sideloading and staged fake job lure campaigns. The Iran-linked APT group Screening Serpens is attributed to the activity. No specific CVEs or malware names were disclosed. The technique enables evasion of endpoint detection and response (EDR) tools by interfering with the kill chain at the initial execution and persistence stages. No IOCs were provided. **Recommended Response** Defenders should monitor for unusual modifications to AppDomainManager configurations in .NET environments and suspicious DLL sideloading behaviors. Endpoint security solutions must be updated to detect hijacking attempts and telemetry suppression. Organizations in affected regions should increase vigilance on phishing campaigns using fake job offers. No patch or specific CVE mitigation was mentioned; focus should be on detection and behavioral monitoring.
Source articles (2)
- Iranian Hackers Hijack AppDomainManager to Bypass EDR — Gbhackers · 2026-06-01
Iran-linked hackers have upgraded their tradecraft by using AppDomainManager hijacking in .NET applications to turn off security telemetry before malicious code fully starts, making endpoint detection… - Iranian Hackers Abuse AppDomainManager Hijacking to Evade EDR Detection — Cybersecuritynews · 2026-06-01
Iranian hackers have taken their cyberespionage playbook to a new level, deploying a sophisticated .NET hijacking technique to slip past endpoint defenses and target organizations across the United St…
Timeline
- 2026-02-28 — Regional conflict begins: A conflict in the Middle East escalates, leading to increased cyber activity from Iranian hackers.
- 2026-06-01 — Iranian hackers deploy AppDomainManager hijacking: Hackers use a sophisticated .NET technique to evade EDR detection, complicating cybersecurity efforts.
Related entities
- Screening Serpens (Apt Group)
- Israel (Country)
- United Arab Emirates (Country)
- United States (Country)
- T1574 - Hijack Execution Flow (Mitre Attack)