Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
The Iranian APT group Screening Serpens has been observed conducting espionage campaigns in 2026 targeting the technology and defense sectors. Their operations include the use of AppDomainManager hijacking and deployment of new remote access trojan (RAT) variants. These tactics enable persistent access and data exfiltration from targeted organizations. The campaigns have been detailed by Palo Alto Networks Unit 42, highlighting the evolving threat landscape posed by this actor. No known exploits in the wild have been reported, and no specific affected software versions or patches are identified. The threat is assessed as medium severity based on the available information.
AI Analysis
Technical Summary
Screening Serpens, an Iranian advanced persistent threat group, is actively conducting espionage campaigns in 2026 against technology and defense sector targets. Their techniques include hijacking the .NET AppDomainManager to maintain persistence and deploying new variants of remote access trojans to facilitate unauthorized access and data theft. The detailed analysis by Unit 42 provides insight into their evolving toolset and operational methods. There is no indication of specific vulnerable software versions or publicly available patches. The campaigns represent a targeted espionage threat rather than a widespread vulnerability or exploit.
Potential Impact
The impact involves unauthorized access and espionage targeting sensitive sectors such as technology and defense. The use of AppDomainManager hijacking and new RAT variants allows the threat actor to maintain persistence and potentially exfiltrate confidential information. There are no reports of widespread exploitation or direct damage beyond espionage activities. The medium severity rating reflects the targeted nature and potential sensitivity of compromised data.
Mitigation Recommendations
No specific patches or fixes are identified for this threat. Organizations in the technology and defense sectors should monitor for indicators of compromise related to AppDomainManager hijacking and RAT activity as detailed by Unit 42. Implementing detection and response capabilities focused on these tactics is recommended. Since no vendor advisory or official patch is available, standard threat hunting and incident response procedures aligned with the threat actor's known behaviors should be employed.
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Description
The Iranian APT group Screening Serpens has been observed conducting espionage campaigns in 2026 targeting the technology and defense sectors. Their operations include the use of AppDomainManager hijacking and deployment of new remote access trojan (RAT) variants. These tactics enable persistent access and data exfiltration from targeted organizations. The campaigns have been detailed by Palo Alto Networks Unit 42, highlighting the evolving threat landscape posed by this actor. No known exploits in the wild have been reported, and no specific affected software versions or patches are identified. The threat is assessed as medium severity based on the available information.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Screening Serpens, an Iranian advanced persistent threat group, is actively conducting espionage campaigns in 2026 against technology and defense sector targets. Their techniques include hijacking the .NET AppDomainManager to maintain persistence and deploying new variants of remote access trojans to facilitate unauthorized access and data theft. The detailed analysis by Unit 42 provides insight into their evolving toolset and operational methods. There is no indication of specific vulnerable software versions or publicly available patches. The campaigns represent a targeted espionage threat rather than a widespread vulnerability or exploit.
Potential Impact
The impact involves unauthorized access and espionage targeting sensitive sectors such as technology and defense. The use of AppDomainManager hijacking and new RAT variants allows the threat actor to maintain persistence and potentially exfiltrate confidential information. There are no reports of widespread exploitation or direct damage beyond espionage activities. The medium severity rating reflects the targeted nature and potential sensitivity of compromised data.
Mitigation Recommendations
No specific patches or fixes are identified for this threat. Organizations in the technology and defense sectors should monitor for indicators of compromise related to AppDomainManager hijacking and RAT activity as detailed by Unit 42. Implementing detection and response capabilities focused on these tactics is recommended. Since no vendor advisory or official patch is available, standard threat hunting and incident response procedures aligned with the threat actor's known behaviors should be employed.
Technical Details
- Article Source
- {"url":"https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/","fetched":true,"fetchedAt":"2026-05-26T19:42:22.346Z","wordCount":5939}
Threat ID: 6a15f7a26b9ae66727f538f0
Added to database: 5/26/2026, 7:42:26 PM
Last enriched: 5/26/2026, 7:42:35 PM
Last updated: 5/26/2026, 8:55:17 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.