Iranian APT Screening Serpens Targets Tech and Defense Sectors with Novel Attack Chains
Iranian state-backed group Screening Serpens is conducting active espionage campaigns in 2026, using AppDomainManager hijacking and new RAT variants to breach technology and defense organizations.

Unit 42 researchers have documented an ongoing espionage campaign by the Iranian advanced persistent threat (APT) group known as Screening Serpens, which is actively targeting organizations in the technology and defense sectors during 2026. The group is deploying sophisticated attack chains that rely on AppDomainManager hijacking — a technique that allows malicious code execution within the .NET application domain — along with previously undocumented remote access trojan (RAT) variants to maintain persistence and exfiltrate sensitive data.
The attack chain begins with spear-phishing emails crafted to appear as legitimate business communications. Once a recipient opens a malicious attachment or clicks a link, the payload triggers an AppDomainManager injection that loads a custom RAT directly into a .NET process. This approach evades many endpoint detection systems because the malicious code runs under the context of a trusted application rather than as a standalone process, providing a stealthy foothold on the compromised system.
Screening Serpens, also tracked by other security vendors under different names, has historically aligned with Iranian strategic interests and focused on intellectual property theft and intelligence gathering. The current campaigns expand the group's toolset with RAT variants that include features like keylogging, screen capture, file exfiltration, and the ability to act as a proxy for lateral movement within victim networks. Unit 42's detailed technical analysis reveals that the new RATs communicate over encrypted channels to custom command-and-control infrastructure hosted on compromised servers in multiple countries.
The primary targets are technology companies involved in research and development, as well as defense contractors and government-affiliated agencies. While Unit 42 did not name specific victims, the report indicates the campaigns have been active since at least early 2026. The sector focus aligns with Iran's broader strategic priorities of advancing its domestic technological capabilities and countering perceived adversaries.
Organizations in the technology and defense verticals should immediately review their .NET runtime configurations and monitor for unusual AppDomainManager loading events. Security teams can also implement application control policies that restrict which binaries are allowed to load managed code. Network defenders should hunt for outbound connections from .NET processes to unfamiliar IP ranges, as these are strong indicators of a Screening Serpens compromise.
Mitigations include deploying email filtering to block spear-phishing attempts, requiring multi-factor authentication for all externally accessible services, and segmenting networks to limit lateral movement. Additionally, organizations should maintain offline backups and apply the latest security patches to all systems, though no specific CVEs were associated with this campaign — the group relies on custom tools rather than known vulnerabilities for initial access.
The broader landscape of Iranian cyber espionage continues to demonstrate increasing technical sophistication. Screening Serpens joins a list of Iranian APT groups — alongside groups like APT33, APT34, and Charming Kitten — that actively target Western technology and defense sectors. The use of AppDomainManager hijacking specifically shows how these groups adapt legitimate .NET features for malicious purposes, a trend security researchers expect to continue as Microsoft's ecosystem remains ubiquitous in enterprise environments.
Unit 42's latest report details how Screening Serpens refined its social engineering playbook during the current U.S.-Israeli aerial offensive against Iran, using fake job portals that clone legitimate aerospace and defense hiring sites. The campaign relies on LinkedIn outreach and direct email contact to deliver malware-laced résumé files, some signed with valid digital certificates, followed by legitimate remote management tools for persistence. Researchers observed operational security lapses that exposed portions of the attackers' infrastructure, reinforcing the group's continued evolution of North Korean-style job scam techniques.
Unit 42's full report, shared exclusively with Cyber Security News, reveals that the campaign escalated sharply after a regional conflict began on February 28, 2026, with coordinated attacks hitting U.S. and Israeli entities in late March and UAE targets in mid-April. The researchers identified six new RAT variants across two malware families—MiniUpdate and MiniJunk V2—both delivered via spear-phishing archives impersonating a global airline and a video conferencing platform. The MiniUpdate family uses fake job description PDFs with believable job IDs and a nested payload inside a file named Hiring Portal.zip, while MiniJunk V2 employs heavy code obfuscation and file size inflation to bypass automated scanning limits. Command-and-control traffic is routed through Azure-hosted domains that mimic legitimate Windows service names, further complicating network-level detection.