An Iranian cyber espionage group, known as Screening Serpens, has been linked to a series of targeted attacks against entities in the United States, Israel, and the United Arab Emirates. According to a report by Palo Alto Networks’ Unit 42, this campaign unfolded over several months and coincided with escalating tensions in the region.
Understanding Screening Serpens
Screening Serpens, also referred to as UNC1549, Smoke Sandstorm, or Iranian Dream Job, is identified as an advanced persistent threat (APT) group tied to Iranian intelligence objectives. Their activities appeared to intensify during a regional conflict that erupted on February 28, 2026. The group likely targeted additional Middle Eastern entities, as discovered during Unit 42’s investigation, which focused on cyberattacks occurring from mid-February through April 2026.
Campaign Details and New Malware
The latest cyber campaign executed by Screening Serpens involved six new variants of remote access Trojans (RATs), categorized under two malware families known as MiniUpdate and MiniJunk V2. These were part of parallel espionage efforts that demonstrated two coordinated waves of cyberattacks. Researchers noted that at least one of the variants came with time-specific deployment instructions, highlighting a strategic approach in their cyber operations. The timing of these attacks was likely a calculated response to the ongoing conflicts in the region.
Innovative Hacking Techniques
One significant advancement in this group’s cyber warfare tactics was the utilization of AppDomainManager hijacking. This method alters the initialization phase of .NET applications, enabling attackers to deactivate security measures before the application fully launches. Consequently, this technique leaves targeted organizations vulnerable to the multifaceted RATs involved in the attacks.
Social Engineering Tactics
Screening Serpens employs sophisticated social engineering methods, primarily targeting technology professionals in various sectors. They often create convincingly fake recruitment opportunities that mimic reputable job platforms. For instance, in one of their campaigns, they utilized deceptive job documents and a “Hiring Portal” archive to entice technical personnel into initiating malware.
In another operation targeting an Israeli entity, the group deployed malware disguised as an installer for a well-known video conferencing application. Unit 42 noted that there was no evidence of an actual breach of the legitimate organization’s infrastructure—suggesting the attackers aimed solely for impersonation.
Future Implications and Recommendations
Despite being active since at least 2022, Screening Serpens demonstrates increasingly advanced technical skills and operational resilience. Their focus on regional targets remains substantial, but recent campaigns signal a potential expansion into other geographic areas. Unit 42 warns organizations to remain vigilant for further cyber incursions and emphasizes the importance of bolstering defenses to mitigate the risks associated with such persistent threats in the digital landscape. Preparing for potential compromises is crucial as the group’s activities show no signs of diminishing in the near term.