Cyberattacks by Iran-nexus APT Group Screening Serpens Highlight Tactical Evolution
Palo Alto Networks’ Unit 42 has reported increased activity from the Iran-aligned APT group Screening Serpens, which has deployed various remote access Trojan (RAT) variants targeted at multiple countries. The timing of these operations correlates with regional conflicts that commenced in late February 2026, suggesting a strategic alignment with geopolitical tensions.
The ongoing campaigns showcase the group’s adaptation and enhancement of technical capabilities, evidenced by the emergence of two new malware families named MiniUpdate and MiniJunk V2. These malware strains are characterized by specialized social engineering tactics, particularly through tailored recruitment lures that replicate the appearance of legitimate job application processes. Notably, Screening Serpens has demonstrated a shift towards using AppDomainManager hijacking techniques to evade detection and Microsoft .NET security features. This advanced evasion technique allows the malware to disable security mechanisms prior to execution, thereby establishing significant footholds in compromised environments.
Defensive Context
Organizations, especially in sectors related to technology, aerospace, defense, and telecommunications, must be particularly vigilant, given the targeting patterns of Screening Serpens. The group’s ongoing campaigns leverage sophisticated social engineering tactics and localized exploits, making their methods highly adaptive to individual organizations’ profiles and market landscapes. Entities that possess sensitive data or operate in international contexts could face elevated risks.
Why This Matters
The recent campaigns demonstrate a marked escalation in both the frequency and sophistication of attacks attributed to Screening Serpens. Their focus on high-value sectors increases the risk for firms operating in impacted industries, particularly those in relied-upon technology roles where threat actors can exploit professional job-seeking vulnerabilities. The technical strategies employed signal a broader trend toward advanced persistent threats utilizing evolving tactics for cyber-espionage, highlighting the potential for operational disruptions and data breaches.
Defender Considerations
Given the nature of these malware variants, organizations are encouraged to enhance their monitoring for signs of AppDomainManager hijacking and DLL sideloading, both of which are critical indicators of the group’s advanced techniques. Environments that utilize .NET applications should prioritize vigilance against changes in application initialization processes and thwart unauthorized configurations or paths set forth by malicious binaries.
Indicators of Compromise (IOCs)
Domains:
- licencemanagers.azurewebsites.net
- NanoMatrix.azurewebsites.net
- hxxps://app[redacted].live
SHA256 Hashes:
- 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
- 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
The findings underscore the necessity for continuous adaptation of defensive measures against increasingly sophisticated methods employed by threat actors like Screening Serpens.
