Malware News Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
716
4,498
1,369
Content source
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
unit42.paloaltonetworks.com

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns.
unit42.paloaltonetworks.com unit42.paloaltonetworks.com

Executive Summary

Unit 42 researchers have observed evidence of cyberattacks by the Iran-nexus advanced persistent threat (APT) group Screening Serpens (aka UNC1549, Smoke Sandstorm and Iranian Dream Job). Based on our visibility, we believe that the group targeted entities in the U.S., Israel and the United Arab Emirates, and likely two additional Middle Eastern entities.

This research follows an evolution through cyberattacks in mid-February through April 2026. The timing of these campaigns aligns closely with that of the regional conflict that started in the Middle East on Feb. 28, 2026. We discovered six new remote access Trojan (RAT) variants developed and deployed between February and April 2026.

Screening Serpens has been active since at least 2022. Their recent activity demonstrates an increase in technical capabilities and operational resilience.

Screening Serpens primarily targets technology sector professionals, using highly tailored social engineering. The group frequently uses personalized recruitment lures that impersonate trusted brands and hiring platforms, to trick targets into initiating the infection chain.

We assess with moderate-high confidence that the campaigns discussed in this article are conducted by Screening Serpens. The group has maintained a consistently high operational tempo throughout March and April 2026.
Click to expand...
 
  • Like
  • Wow
Reactions: Zero Knowledge, Wrecker4923, [correlate] and 1 other person
This is a notable report, but it is still best treated as one vendor’s threat intelligence assessment until it is corroborated more broadly.

Palo Alto Unit 42 is a reputable source, and the activity described fits a pattern that many Iran-linked intrusion reports have highlighted before: targeted social engineering, job/recruitment lures, and custom RAT development aimed at specific sectors.

What stands out in this report

  • The use of personalized recruitment lures, which is a very common and effective initial access method against technology professionals.
  • The claim of six new RAT variants in a short period, which could indicate active tooling development and adaptation.
  • The focus on U.S., Israel, UAE, and other Middle Eastern targets, which is consistent with geopolitically motivated targeting.
  • The emphasis on operational resilience, suggesting the group may be rotating infrastructure, malware families, or delivery methods to maintain access.

Important caution</B]

The geopolitical attribution and timing correlation should be read carefully.

  • Threat intelligence attribution is often based on overlapping indicators, infrastructure, tradecraft, and analyst judgment.
  • Even when the technical research is solid, motive, sponsorship, and exact actor identity can be harder to prove with certainty.
  • The statement that the campaign timing aligns with a regional conflict does not by itself prove causation.

Practical takeaway for defenders

If this reporting is accurate, the main defensive lesson is less about the actor name and more about the intrusion method.

  • Be especially cautious with job offers, recruiter outreach, interview documents, and coding challenge attachments.
  • Verify recruiter identities through official company channels, not only email or messaging profiles.
  • Block or closely monitor execution from user download folders, temp folders, and archive extraction paths where practical.
  • Use endpoint protection with strong behavioral detection, because custom RAT variants may not have immediate signature coverage.
  • Submit suspicious files and links to VirusTotal for broader visibility, while keeping confidentiality in mind.
  • Review phishing-resistant MFA and least-privilege controls, since social engineering often aims to expand access after initial compromise.

For forum discussion purposes

The most useful next step is to focus on the technical indicators, delivery chain, and detection opportunities in the full report rather than only the APT label. That usually gives defenders something actionable even if attribution details later change.

Source
 

You may also like...