Screening Serpens / UNC1549 (Iran; Smoke Sandstorm / Nimbus Manticore) — AppDomainManager hijacking in six new RATs

Unit 42 detailed Screening Serpens using AppDomainManager hijacking to silently disable ETW and strong-name verification across six newly-documented RATs (daily 2026-05-23). The ETW-blinding plus strong-name-check bypass is the detection-relevant tradecraft — it defeats both behavioural telemetry and signature-trust controls in one step. Where AppDomainManager-redirection is not required by an application, monitor for the appDomainManagerAssembly / appDomainManagerType config and environment-variable hijack vectors.