Back to Intelligence

MiniFast and MiniJunk V2: Detecting Iranian SEO Poisoning and Social Engineering Attacks

SA
Security Arsenal Team
May 26, 2026
6 min read

A sophisticated campaign attributed to Iranian state-sponsored hackers—likely aligning with the track record of TA456 (Tortoiseshell)—is actively leveraging Search Engine Optimization (SEO) poisoning and social engineering to deliver the MiniFast malware downloader and the MiniJunk V2 loader. Unlike broad-spread phishing, this campaign targets specific professionals by manipulating search results for legitimate business tools and software downloads.

For defenders, this represents a significant risk. Traditional email gateways are often bypassed because the victim initiates the download themselves via "legitimate"-looking search results. Once executed, MiniJunk V2 serves as an obfuscated loader, deploying MiniFast, which establishes a command-and-control (C2) beacon capable of data exfiltration and further lateral movement. Given the stealthy nature of the initial access vector, organizations must shift focus from email filtering to web traffic analysis and endpoint behavioral monitoring.

Technical Analysis

Affected Platforms: Windows-based environments.

Threat Components:

  • MiniJunk V2: An evolution of the MiniJunk loader family. It utilizes heavy obfuscation and is typically delivered via compressed archives (ZIP/RAR) masquerading as legitimate software installers. It is designed to bypass detection by security products and load the next stage payload.
  • MiniFast: A malware payload that functions as a downloader and C2 agent. It connects to attacker-controlled infrastructure to receive commands and potentially deploy additional tools, such as keyloggers or reverse proxies.

The Attack Chain:

  1. SEO Poisoning: Attackers optimize malicious websites to rank highly in search engine results for keywords related to specific legitimate software (e.g., VPN tools, collaboration platforms).
  2. Social Engineering: Victims, believing they are downloading the actual software, click the search result and download a malicious file (often an ISO or ZIP).
  3. Execution: The user mounts or extracts the archive and executes the file (often disguised as an installer or using DLL side-loading).
  4. Loading: MiniJunk V2 executes, utilizing obfuscated scripts or living-off-the-land binaries (LOLBins) to run in memory and decrypt the MiniFast payload.
  5. C2 Beaconing: MiniFast initiates HTTPS connections to the threat actor's C2 server, signaling system compromise.

Exploitation Status: Confirmed active exploitation in the wild. This is not a theoretical vulnerability but a live intelligence gathering operation.

Detection & Response

Detecting this campaign requires identifying the unusual execution patterns associated with SEO poisoning (web-initiated downloads) and the specific behaviors of MiniJunk V2 and MiniFast.

SIGMA Rules

YAML
---
title: Potential MiniJunk V2 Loader Activity - Suspicious Execution from Downloads
id: 8a4c2d1e-5f6a-4b3c-9e8d-1a2b3c4d5e6f
status: experimental
description: Detects execution of scripts or binaries directly from the user Downloads directory, a common TTP for SEO poisoning campaigns delivering MiniJunk.
references:
  - https://thehackernews.com/2026/05/iranian-hackers-deploy-minifast-and.html
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
    NewProcessName|contains: '\Downloads\'
    NewProcessName|endswith:
      - '.exe'
      - '.bat'
      - '.cmd'
      - '.vbs'
      - '.ps1'
  filter:
    - NewProcessName|contains: 'OneDriveSetup.exe'
    - NewProcessName|contains: 'DropboxInstaller.exe'
falsepositives:
  - Legitimate software installations initiated by user
level: medium
---
title: MiniFast C2 Beacon Pattern - Suspicious User-Agent
id: 9b5d3e2f-6a7b-5c4d-0f9e-2b3c4d5e6f7a
status: experimental
description: Detects network connections associated with MiniFast malware which often uses specific or malformed User-Agent strings during C2 check-in.
references:
  - https://thehackernews.com/2026/05/iranian-hackers-deploy-minifast-and.html
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\rundll32.exe'
  selection_optional:
    UserAgent|contains:
      - 'Mozilla/4.0'
      - 'Python-urllib'
  condition: selection or selection_optional
falsepositives:
  - Legacy application compatibility
  - Administrative scripts using old UA strings
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious child processes of web browsers indicating SEO poisoning download execution
let ProcessEvents = DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("chrome.exe", "msedge.exe", "firefox.exe", "explorer.exe")
| where FolderPath contains "\\Downloads\\"
| where FileName !in ("OneDriveSetup.exe", "DropboxInstaller.exe", "setup.exe", "install.exe") // Whitelist generic installers cautiously
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256, InitiatingProcessFileName;
ProcessEvents
| join kind=leftouter (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemotePort in (80, 443, 8080)) on Timestamp, DeviceName
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, RemoteIP, RemoteUrl, SHA256

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recently created executables in Downloads that have been executed
LET ProcessFiles = SELECT Pid, Name, Exe, CommandLine
FROM pslist()
WHERE Exe =~ "\\Downloads\\" AND Name =~ "\\.(exe|bat|cmd|vbs)$"

LET FileMetaData = SELECT FullPath, Size, Mtime
FROM glob(globs="C:\Users\*\Downloads\*.(exe|bat|cmd|vbs)")

SELECT * FROM foreach(row=ProcessFiles, 
    query={
        SELECT FullPath, Size, Mtime, 
               Pid, Name, Exe, CommandLine
        FROM FileMetaData
        WHERE FullPath = Exe AND Mtime < now() - duration("5m")
    })

Remediation Script (PowerShell)

PowerShell
# Emergency Response: Quarantine suspected SEO poisoning payloads
# This script scans user Downloads for suspicious executables created in the last 24h

$DateCutoff = (Get-Date).AddDays(-1)
$Users = Get-ChildItem "C:\Users" -Directory

Foreach ($User in $Users) {
    $DownloadsPath = Join-Path $User.FullName "Downloads"
    if (Test-Path $DownloadsPath) {
        Write-Host "Scanning $DownloadsPath..."
        
        $SuspiciousFiles = Get-ChildItem -Path $DownloadsPath -Recurse -Include *.exe, *.bat, *.cmd, *.vbs, *.js `
            | Where-Object { $_.CreationTime -gt $DateCutoff -and $_.Extension -ne ".exe" -or $_.Extension -eq ".exe" }
        
        foreach ($File in $SuspiciousFiles) {
            # Check for file characteristics common in SEO poisoning (generic names, single file)
            if ($File.Length -lt 50MB -and $File.Name -notmatch "installer|setup|update") {
                Write-Host "[!] Suspicious file found: $($File.FullName)" -ForegroundColor Yellow
                # Move to quarantine folder
                $QuarantinePath = "C:\Quarantine\SEO_Poisoning"
                if (!(Test-Path $QuarantinePath)) { New-Item -ItemType Directory -Path $QuarantinePath -Force }
                Move-Item -Path $File.FullName -Destination "$QuarantinePath\$($File.Name)_$($User.Name)" -Force
            }
        }
    }
}
Write-Host "Scan complete. Check C:\Quarantine for isolated items."

Remediation

1. Immediate Network Blocking: Block inbound and outbound connections to known C2 infrastructure associated with this campaign. If specific IOCs are not yet available, restrict outbound internet access for non-essential services and implement strict DNS filtering (RPZ) to prevent resolution of malicious domains used in SEO poisoning.

2. User Education & Awareness: Conduct immediate security awareness training focusing on the risks of downloading software from search engines. Enforce a policy where software installation must only occur from official vendor portals or internal software management solutions (e.g., SCCM, Intune).

3. Browser and Web Gateway Hardening: Configure Secure Web Gateways (SWG) to categorize and block "Newly Registered Domains" (NRDs) and "High Risk" TLDs often used in these campaigns. Implement browser policies that block automatic file downloads from non-corporate sites.

4. Endpoint Detection and Response (EDR) Tuning: Ensure your EDR policies are monitoring for process spawning from user "Downloads" directories. Create allow-lists for legitimate installers to reduce false positives, but enforce alerting for script execution (PowerShell/Batch) from these locations.

5. Incident Response Plan Activation: If a compromise is detected, assume credential theft. Force a password reset for affected accounts and review recent authentication logs for lateral movement indicators.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectioniranian-hackersminifastminijunk-v2

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action