Iranian APT 'Screening Serpens' Intensifies Espionage with New RATs Targeting US, Israel, and UAE

Executive Summary

Researchers at Unit 42 have identified a significant escalation in cyber-espionage activity from Screening Serpens, an advanced persistent threat (APT) group with ties to Iran. Also tracked as UNC1549, Smoke Sandstorm, and Iranian Dream Job, the group has been observed conducting campaigns between February and April 2026 that align with recent geopolitical conflicts in the Middle East. The attacks primarily target technology professionals in the United States, Israel, and the United Arab Emirates. To enhance their operations, Screening Serpens has deployed six new Remote Access Trojan (RAT) variants, categorized into two new malware families named MiniUpdate and MiniJunk V2. The group is also leveraging more sophisticated techniques, such as AppDomainManager hijacking, to maintain persistence and evade detection.

Threat Overview

Screening Serpens is a sophisticated espionage-focused threat actor that has been active since at least 2022. Their primary objective is intelligence gathering, targeting individuals and organizations in sectors of strategic interest to Iran. The latest campaigns demonstrate a marked evolution in their capabilities:

Targeting: Highly focused on professionals in the technology sector, likely to gain access to intellectual property, sensitive project information, or to establish a foothold in strategic partner networks.
Social Engineering: The group uses highly personalized lures, often impersonating trusted brands or recruitment platforms, to trick targets into executing malicious payloads. A spear-phishing campaign on February 17, 2026, used a spoofed URL from a well-known employment website.
Malware Evolution: The introduction of MiniUpdate and MiniJunk V2 shows an active development cycle aimed at bypassing existing security controls.
Geopolitical Alignment: The timing of the campaigns, coinciding with a regional conflict that began on February 28, 2026, suggests that the group's tasking is closely aligned with the geopolitical objectives of the Iranian state.

Technical Analysis

Screening Serpens employs a multi-stage attack chain that relies on social engineering and advanced persistence mechanisms.

T1566.002 - Spearphishing Link: The initial access vector involves sending highly targeted emails with malicious links, such as the spoofed recruitment URL observed in the February 17 campaign.
T1588.002 - Tool: The group develops and deploys custom RATs (MiniUpdate, MiniJunk V2) to ensure their tools are not easily detected by signature-based antivirus.
T1546.011 - AppDomainManager Hijacking: This is a sophisticated persistence technique. By creating a malicious .NET assembly and setting specific environment variables (COMPLUS_Version, COMPLUS_LoaderOptimization), the attacker can force any .NET application on the system to load their malicious code upon startup. This provides a powerful and stealthy way to maintain access.
T1059.005 - Visual Basic: The malware loaders often use VBScript or other scripting languages to execute the next stage of the infection chain.
T1027 - Obfuscated Files or Information: The group's malware likely employs obfuscation to hinder analysis and evade static detection.

The use of AppDomainManager hijacking is a significant technical advancement for this group. It allows them to live in the memory of legitimate, trusted .NET processes, making detection via traditional file-based scanning nearly impossible. This forces defenders to rely on behavioral analysis and memory forensics.

Impact Assessment

The primary impact of Screening Serpens' activities is espionage. The theft of sensitive data from technology companies can result in:

Loss of Intellectual Property: Stolen R&D, source code, and proprietary designs can undermine a company's competitive advantage.
Supply Chain Risk: Compromising a technology company can provide the APT group with a launchpad to conduct supply chain attacks against that company's customers.
Intelligence Gathering: The stolen information provides the Iranian government with strategic insights into the technological capabilities and plans of its adversaries.
Further Targeting: Information gathered from one victim can be used to craft more convincing lures to target their partners, colleagues, and customers.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for Screening Serpens activity. The following patterns could indicate an intrusion:

Type

registry_key

Value

HKCU\Environment\COMPLUS_Version

Description

The presence of this environment variable, especially when set to a suspicious value, is a strong indicator of AppDomainManager hijacking.

Type

command_line_pattern

Value

wmic.exe process call create

Description

Monitor for wmic being used to launch new processes, a common technique for execution and lateral movement.

Type

log_source

Value

Email Gateway Logs

Description

Analyze logs for emails with links from newly registered or typo-squatted domains that impersonate legitimate recruitment sites.

Type

process_name

Value

MSBuild.exe

Description

Attackers often abuse the Microsoft Build Engine (MSBuild.exe) to execute malicious code embedded in project files, bypassing application whitelisting.

Detection & Response

Behavioral Monitoring: Due to the use of custom malware and advanced persistence techniques, detection must focus on behavior. Monitor for the creation of suspicious environment variables (COMPLUS_*), unexpected network connections from legitimate processes, and the use of living-off-the-land binaries (LOLBins) like wmic.exe.
Email Security: Use advanced email security solutions that can analyze links at time-of-click (URL rewriting) to protect against spear-phishing links. This is a form of D3FEND URL Analysis.
Endpoint Detection and Response (EDR): An EDR solution is critical for detecting the process chain associated with the attack. It can trace the execution from the initial lure (e.g., a document) to the launch of PowerShell or VBScript, and finally to the establishment of the RAT's C2 channel.
Threat Hunting: Proactively hunt for the TTPs used by Screening Serpens. For example, run queries across the enterprise to look for systems with the COMPLUS_Version environment variable set, which is a strong indicator of the AppDomainManager hijacking technique.

Mitigation

User Training: Since the initial vector is social engineering, training users to identify and report suspicious emails is a critical first line of defense. This aligns with D3FEND User Training.
Application Control: Implement application control policies to prevent the execution of unauthorized scripts and executables. This can block the initial payload from running.
Attack Surface Reduction: Disable or restrict scripting languages like PowerShell and VBScript where they are not required for business operations.
Credential Protection: Implement measures to protect credentials, such as Windows Defender Credential Guard, and enforce strong password policies and MFA to make lateral movement more difficult.

The AppDomainManager hijacking technique used by Screening Serpens relies on modifying the system's environment. System File Analysis, in the form of proactive threat hunting and configuration monitoring, is essential for detection. Security teams should create and run queries using their EDR or SIEM to hunt for the presence of the COMPLUS_Version and COMPLUS_LoaderOptimization environment variables being set in the registry (HKCU\Environment or HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment). Since these variables are rarely used for legitimate purposes, their presence is a high-confidence indicator of this specific persistence technique. Regularly scanning for these artifacts allows defenders to uncover the APT's foothold before they can achieve their objectives.

Screening Serpens: Iranian APT Group Deploys New Malware in Geopolitically Timed Espionage Campaigns