ctipilot.ch

Home · Live brief · Weekly 2026-W21

Screening Serpens / UNC1549 (Iran; Smoke Sandstorm / Nimbus Manticore) — AppDomainManager hijacking in six new RATs

notable synthesis discovered 2026-05-18 05:00 UTC

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

Unit 42 detailed Screening Serpens using AppDomainManager hijacking to silently disable ETW and strong-name verification across six newly-documented RATs (daily 2026-05-23). The ETW-blinding plus strong-name-check bypass is the detection-relevant tradecraft — it defeats both behavioural telemetry and signature-trust controls in one step. Where AppDomainManager-redirection is not required by an application, monitor for the appDomainManagerAssembly / appDomainManagerType config and environment-variable hijack vectors.

nation-state espionage iran-nexus middle-east global