Iranian APT Screening Serpens Targets Tech and Defense Sectors with Novel Attack Chains
Iranian state-backed group Screening Serpens is conducting active espionage campaigns in 2026, using AppDomainManager hijacking and new RAT variants to breach technology and defense organizations.
Unit 42 researchers have documented an ongoing espionage campaign by the Iranian advanced persistent threat (APT) group known as Screening Serpens, which is actively targeting organizations in the technology and defense sectors during 2026. The group is deploying sophisticated attack chains that rely on AppDomainManager hijacking — a technique that allows malicious code execution within the .NET application domain — along with previously undocumented remote access trojan (RAT) variants to maintain persistence and exfiltrate sensitive data.
The attack chain begins with spear-phishing emails crafted to appear as legitimate business communications. Once a recipient opens a malicious attachment or clicks a link, the payload triggers an AppDomainManager injection that loads a custom RAT directly into a .NET process. This approach evades many endpoint detection systems because the malicious code runs under the context of a trusted application rather than as a standalone process, providing a stealthy foothold on the compromised system.
Screening Serpens, also tracked by other security vendors under different names, has historically aligned with Iranian strategic interests and focused on intellectual property theft and intelligence gathering. The current campaigns expand the group's toolset with RAT variants that include features like keylogging, screen capture, file exfiltration, and the ability to act as a proxy for lateral movement within victim networks. Unit 42's detailed technical analysis reveals that the new RATs communicate over encrypted channels to custom command-and-control infrastructure hosted on compromised servers in multiple countries.
The primary targets are technology companies involved in research and development, as well as defense contractors and government-affiliated agencies. While Unit 42 did not name specific victims, the report indicates the campaigns have been active since at least early 2026. The sector focus aligns with Iran's broader strategic priorities of advancing its domestic technological capabilities and countering perceived adversaries.
Organizations in the technology and defense verticals should immediately review their .NET runtime configurations and monitor for unusual AppDomainManager loading events. Security teams can also implement application control policies that restrict which binaries are allowed to load managed code. Network defenders should hunt for outbound connections from .NET processes to unfamiliar IP ranges, as these are strong indicators of a Screening Serpens compromise.
Mitigations include deploying email filtering to block spear-phishing attempts, requiring multi-factor authentication for all externally accessible services, and segmenting networks to limit lateral movement. Additionally, organizations should maintain offline backups and apply the latest security patches to all systems, though no specific CVEs were associated with this campaign — the group relies on custom tools rather than known vulnerabilities for initial access.
The broader landscape of Iranian cyber espionage continues to demonstrate increasing technical sophistication. Screening Serpens joins a list of Iranian APT groups — alongside groups like APT33, APT34, and Charming Kitten — that actively target Western technology and defense sectors. The use of AppDomainManager hijacking specifically shows how these groups adapt legitimate .NET features for malicious purposes, a trend security researchers expect to continue as Microsoft's ecosystem remains ubiquitous in enterprise environments.