Screening Serpens (UNC1549 / Smoke Sandstorm / Nimbus Manticore) — Iranian APT operationalising AppDomainManager hijacking; six new RAT variants MiniUpdate/MiniJunk V2 deployed Feb–Apr 2026

Unit 42 published a comprehensive write-up on Screening Serpens (a.k.a. UNC1549, Smoke Sandstorm, Nimbus Manticore) on 2026-05-22 covering operations from February through April 2026 timed to the onset of the U.S.–Israeli Middle East conflict that began 2026-02-28 (Unit 42, 2026-05-22 · Cybersecurity Dive, 2026-05-22). The group deployed new RAT variants across two malware families: MiniUpdate in four variants used between 2026-03-26 and 2026-04-17 with lures impersonating aviation, healthcare and financial-services firms, and MiniJunk V2 in two variants used between 2026-02-17 and 2026-03-27 against Middle Eastern and U.S. targets.

The technically significant evolution is AppDomainManager hijacking (T1574.014) paired with classic DLL sideloading (T1574.001): the infection chain drops a legitimate Microsoft .NET executable alongside a weaponised UpdateChecker.dll / InitInstall.dll / Updater.dll and — critically — a malicious .runtimeconfig.json that redirects the CLR's AppDomainManager loading at process startup, silently disabling ETW tracing and strong-name validation before the RAT executes. That leaves the host's EDR operating in a reduced-telemetry mode on every infected workstation. Delivery is high-touch — fake recruitment PDFs, spoofed video-conference meeting invitations, and ZIP archives containing a legitimate executable as the trigger; persistence uses scheduled tasks; C2 routes through Azure-hosted domains. Confirmed targets: U.S., Israel, UAE, plus at least two further Middle Eastern entities consistent with prior UNC1549 focus on aerospace, defence and telecommunications. The CH/EU nexus is indirect but real — Swiss aerospace and defence suppliers (RUAG, Pilatus and defence export channels) sit squarely in the sector profile, as do EU R&D firms historically swept up in Iranian collection campaigns.

Detection vantage: alert on .runtimeconfig.json writes by non-installer processes; watch the Microsoft-Windows-DotNETRuntime ETW provider for StrongNameVerification=0 startup events and CLR debug-mode initialisation; watch scheduled-task creation from processes with .dll parent images loading via rundll32.exe / svchost.exe. Hardening: enforce a code-integrity policy (UMCI + trusted-signers allowlist) so unsigned DLLs cannot load into the .NET CLR; restrict .runtimeconfig.json writes outside install paths via FIM.

The Dutch Health & Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd, IGJ) issued a public finding on 2026-05-13 concluding that Clinical Diagnostics LCPL BV and NMDL BV (Rijswijk) did not meet the mandatory NEN 7510 information-security standard at the time of their July 2025 ransomware breach, and had not fully remediated the deficiencies as of IGJ's December 2025 follow-up inspection (IGJ, 2026-05-13; native title: "Clinical Diagnostics voldeed niet aan wettelijke norm voor informatiebeveiliging" — "Clinical Diagnostics did not meet the statutory information-security standard"). NEN 7510 is the Dutch statutory information-security baseline for healthcare organisations under the Wabvpz, structurally aligned with ISO/IEC 27001 but extended for health-data obligations; non-compliance is independently actionable by multiple regulators.

IGJ's two named failures are foundational rather than technical: (1) no independent audit of the laboratory's information security had ever been performed, and (2) the organisation had not periodically assessed its processing risks, leaving it unable to determine which controls were necessary. The July 2025 breach — Computable's prior reporting attributes it to the Nova ransomware group — exposed approximately 941,000 patients' personal and medical records, including cervical-cancer screening results processed for the population-screening programme Bevolkingsonderzoek Nederland (Computable, 2026-05-13). IGJ has no fining power and has demanded short-term independent NEN 7510 certification; Autoriteit Persoonsgegevens (Dutch DPA), whose GDPR enforcement carries fines, is running a parallel investigation. IGJ also signalled sector-wide enforcement intent by publicly calling for all healthcare providers to demonstrate independent certification — a leading indicator of broader inspection cadence.

For a Swiss SOC the parallel is direct: NEN 7510 is the regulatory analogue of the EPDG (Bundesgesetz über das elektronische Patientendossier) security profile, and the two specific failures — absence of third-party audit, absence of periodic risk assessment — are the same hygiene-baseline gaps Swiss healthcare providers face under cantonal supervision. The breach scale (941k records, mass-screening data) is the proximate consequence of those structural gaps; the operationally useful read for defenders is detection of NEN-7510-style baseline gaps via third-party assessment, not signature hunting.