Iranian APT Screening Serpens deploys six RAT variants in coordinated 2026 espionage campaigns
Unit 42 tracks Iran-nexus group Screening Serpens conducting targeted cyberespionage against U.S., Israeli, UAE and Middle Eastern entities via social engineering and DLL sideloading, deploying MiniUpdate and MiniJunk V2 RAT families with AppDomainManager hijacking capability.
Attack Brief
TargetTechnology sector professionals; aerospace, defense manufacturing, telecommunications organizationsVectorTargeted spear phishing with personalized recruitment lures impersonating trusted brands and hiring platforms; DLL sideloading for executionAttributionScreening Serpens (aka UNC1549, Smoke Sandstorm, Iranian Dream Job)
Technical Details
MITRE ATT&CKT1574.002T1566.002T1105T1041IoCsUpdateChecker.dllHiring Portal.zipAffectedSix RAT variants deployed February–April 2026; MiniUpdate family (March 26, April 15, April 17 VirusTotal uploads); MiniJunk V2 family (February 17, March 27 VirusTotal uploads)
Impact
Affected OrganisationsEntities in U.S., Israel, UAE, and two additional Middle Eastern entitiesSectorsAerospaceDefense manufacturingTelecommunicationsTechnologyGeographyUnited StatesIsraelUnited Arab EmiratesMiddle East
Mitigation
PatchesPalo Alto Networks Advanced WildFireAdvanced URL FilteringAdvanced DNS SecurityCortex XDRCortex XSIAMCortex CloudDetectionMonitor for DLL sideloading execution chains; detect AppDomainManager hijacking via .NET configuration file manipulation; hunt for C2 traffic to Azure-hosted domains; analyze VirusTotal submissions for recruitment-themed archives and UpdateChecker.dll artifacts
Context
Previous CampaignsScreening Serpens active since at least 2022; expanded to Western Europe targets in late 2025; campaigns align temporally with regional Middle East conflict onset February 28, 2026