Threat Research

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit42
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Unit 42 attributes a multi-stage espionage campaign to the Iran-nexus APT group Screening Serpens, which deployed six new RAT variants against targets in the U.S., Israel, the UAE, and other Middle Eastern entities. The group used highly tailored recruitment and meeting-themed lures, DLL sideloading, and AppDomainManager hijacking to deliver MiniUpdate and MiniJunk V2 while evading detection and exfiltrating data. #ScreeningSerpens #UNC1549 #MiniUpdate #MiniJunkV2

Keypoints

  • Screening Serpens is an Iran-nexus APT group that has been active since at least 2022 and intensified operations during the 2026 regional conflict.
  • Unit 42 identified six new RAT variants deployed between February and April 2026, grouped into two malware families: MiniUpdate and MiniJunk V2.
  • The campaigns targeted entities in the U.S., Israel, the UAE, and likely additional Middle Eastern organizations, with a strong focus on technology-sector professionals.
  • The threat actor relied on personalized social engineering, including fake recruitment materials and spoofed video-conferencing lures, to prompt victims to start the infection chain.
  • Initial execution commonly used DLL sideloading, scheduled tasks, and staged payloads to establish persistence and run multi-stage RAT payloads.
  • The most notable technical shift was AppDomainManager hijacking, which disabled .NET security mechanisms and reduced EDR visibility before payload execution.
  • The newer variants expanded operational capabilities such as chunked file exfiltration, command execution, process manipulation, and stealthier infrastructure rotation.

MITRE Techniques

  • [T1566.001 ] Spearphishing Attachment – Used tailored recruitment and meeting-themed archives to lure victims into opening malicious content. (‘The group frequently uses personalized recruitment lures’ / ‘the victim into downloading the malicious archive’)
  • [T1195.002 ] Compromise Software Dependencies and Development Tools – Delivered malicious payloads through legitimate installers and sideloading chains that relied on trusted software behavior. (‘The malware triggers a spoofed error window’ / ‘legitimate Setup.exe host process’)
  • [T1036 ] Masquerading – Impersonated trusted brands, hiring platforms, video conferencing services, and system utilities to appear legitimate. (‘mimic a legitimate installer progress indicator’ / ‘impersonate a global air carrier’)
  • [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – Used legitimate executables such as Setup.exe and update.exe to load malicious DLLs. (‘leverages DLL sideloading for execution’ / ‘the legitimate Setup.exe host process’)
  • [T1574.006 ] Hijack Execution Flow: Dynamic Linker Hijacking – Forced the application to prioritize attacker-controlled local files via probing paths. (‘the directive’)
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Executed shell commands through cmd.exe. (‘Executes shell commands via cmd.exe /c’)
  • [T1218.011 ] System Binary Proxy Execution: Rundll32 – Loaded and invoked DLL payloads through trusted execution flows. (‘loads arbitrary DLLs directly into memory to run specific exported functions’)
  • [T1055 ] Process Injection – Loaded payloads into trusted process memory spaces through hijacked application initialization. (‘allowing the next payload, Updater.dll, to load into an unmonitored memory space’)
  • [T1105 ] Ingress Tool Transfer – Retrieved and staged payloads from remote file-sharing and cloud-hosted infrastructure. (‘payload delivery is triggered from a third-party file-sharing service’)
  • [T1027 ] Obfuscated Files or Information – Used junk code, padding, XOR, ROT13, and mixed boolean-arithmetic obfuscation to hinder analysis. (‘junk code and padding’ / ‘Mixed Boolean-Arithmetic and XOR obfuscation’)
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – Disabled ETW, strong-name verification, and publisher policies to suppress telemetry and validation. (‘proactively disable logging mechanisms’ / ‘disable its own security mechanisms’)
  • [T1546.007 ] Event Triggered Execution: Netsh Helper DLL – Abused AppDomainManager hijacking to execute code before the host application started. (‘Pre-Main() execution’ / ‘before the host application even starts’)
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Created scheduled tasks for persistence and execution, including daily and logon-triggered tasks. (‘creates a scheduled task’ / ‘trigger every day at 09:30 local time’)
  • [T1102 ] Web Service – Used Azure-hosted domains and ONLYOFFICE DocSpace instances to stage files and manage infrastructure. (‘hosted by Azure’ / ‘attacker-managed ONLYOFFICE workspace’)
  • [T1083 ] File and Directory Discovery – Checked file paths and directories while staging hidden payloads and installation folders. (‘resolves its current directory’ / ‘constructs a new hidden installation path’)
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Communicated with C2 servers over HTTP GET and POST requests. (‘Command polling occurs via GET requests’ / ‘beacons to the primary C2 base URL via an HTTP POST request’)
  • [T1005 ] Data from Local System – Collected files from compromised hosts for upload and exfiltration. (‘support for chunked uploads’ / ‘uploads files to the C2 server’)
  • [T1041 ] Exfiltration Over C2 Channel – Exfiltrated data through the same command-and-control infrastructure used for tasking. (‘Exfiltrates data and sends operational status reports to the threat actor’)
  • [T1057 ] Process Discovery – Enumerated running processes to support control and validation checks. (‘Enumerates running processes’)
  • [T1068 ] Exploitation for Privilege Escalation – Requested UAC elevation to gain higher privileges. (‘Requests User Account Control (UAC) elevation’)
  • [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – Performed process-name and parent-process validation to avoid sandbox execution. (‘checks if the parent process is svchost.exe’ / ‘If a security analyst or automated sandbox executes the file directly, this check will fail’)
  • [T1112 ] Modify Registry – No direct registry technique was described in the article.

Indicators of Compromise

  • [Domains ] C2, staging, and impersonation infrastructure – licencemanagers.azurewebsites[.]net, docspace-y4cumb.onlyoffice[.]com, and 2 more domains
  • [URLs ] Malicious archive delivery and lure pages – hxxps[:]//app[redacted][.]live/meeting/edcdba624ddb43c2a1dcf334aa493068, hxxps[:]//2117.filemail[.]com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm, and 2 more URLs
  • [SHA256 Hashes ] MiniUpdate and MiniJunk V2 samples – 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250, 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864, and 10 more hashes
  • [File Names ] Lure archives and payload binaries – Hiring Portal.zip, UpdateChecker.dll, and 7 more file names
  • [User-Agent Strings ] Browser impersonation used by RAT traffic – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36, Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 Edg/144.0.0.0

Read more: https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint