Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Between February and April 2026, the Iranian-linked APT group Screening Serpens deployed six new remote access Trojan variants targeting technology sector professionals in the U. S. , Israel, UAE, and other Middle Eastern countries. The group used highly tailored social engineering with personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, employ advanced techniques such as AppDomainManager hijacking to disable security mechanisms. The campaigns used DLL sideloading, scheduled tasks for persistence, and sophisticated evasion methods, with dedicated command and control infrastructure hosted on Azure. These operations aimed to maintain long-term espionage access and demonstrated increased technical sophistication and operational resilience.
AI Analysis
Technical Summary
Unit 42 researchers identified six new remote access Trojan variants used by the Iran-nexus APT group Screening Serpens during early 2026, coinciding with a regional conflict. The group targeted primarily technology sector professionals in the U.S., Israel, UAE, and other Middle Eastern locations using personalized social engineering recruitment lures. Two novel malware families, MiniUpdate and MiniJunk V2, were discovered, featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security controls. The malware employs DLL sideloading and scheduled tasks for persistence and uses dedicated C2 infrastructure hosted on Microsoft Azure. The campaigns show enhanced technical capabilities and operational resilience to maintain long-term espionage access.
Potential Impact
The identified malware variants enable persistent remote access for espionage purposes, targeting high-value individuals in multiple countries. The advanced evasion and persistence techniques, including AppDomainManager hijacking and DLL sideloading, allow the malware to disable security mechanisms and maintain stealthy long-term presence. The use of dedicated C2 infrastructure on Azure supports resilient command and control operations. While no known exploits in the wild are reported, the medium severity reflects the potential impact on targeted organizations' confidentiality and operational security.
Mitigation Recommendations
No official patches or vendor advisories are available for these malware variants. Organizations should focus on detecting and blocking indicators of compromise such as the identified domains and file hashes. Given the use of social engineering with personalized lures, user awareness training tailored to these tactics is recommended. Monitoring for suspicious scheduled tasks, DLL sideloading behaviors, and anomalous .NET application initialization may help detect infections. Since the C2 infrastructure is hosted on Azure, network monitoring for unusual outbound connections to known malicious domains is advised. Patch status is not yet confirmed — check the referenced vendor advisory from Unit 42 for updates.
Affected Countries
United States, Israel, United Arab Emirates
Indicators of Compromise
- domain: business-startup.org
- hash: 628d831989787ee1b4ffee611cb2014b
- hash: 810f8e3b88eb05f710c09552941d6f56
- hash: cdbe76cdfdec8f7c09781b2ef0fdb7f4
- hash: edcdba624ddb43c2a1dcf334aa493068
- hash: 0997b6c2fdc3af2de118db559c92ef510c60a994
- hash: 67f41dc48bfd0c0597295259bd3c0d3c09dfea34
- hash: da11679653ef33952c3dc8d8850e43d7b8ac884a
- hash: 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
- hash: 332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
- hash: 38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d
- hash: 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
- hash: 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
- hash: 74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
- hash: 8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
- hash: 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
- hash: 9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
- hash: b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
- hash: bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
- hash: d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns
Description
Between February and April 2026, the Iranian-linked APT group Screening Serpens deployed six new remote access Trojan variants targeting technology sector professionals in the U. S. , Israel, UAE, and other Middle Eastern countries. The group used highly tailored social engineering with personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, employ advanced techniques such as AppDomainManager hijacking to disable security mechanisms. The campaigns used DLL sideloading, scheduled tasks for persistence, and sophisticated evasion methods, with dedicated command and control infrastructure hosted on Azure. These operations aimed to maintain long-term espionage access and demonstrated increased technical sophistication and operational resilience.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Unit 42 researchers identified six new remote access Trojan variants used by the Iran-nexus APT group Screening Serpens during early 2026, coinciding with a regional conflict. The group targeted primarily technology sector professionals in the U.S., Israel, UAE, and other Middle Eastern locations using personalized social engineering recruitment lures. Two novel malware families, MiniUpdate and MiniJunk V2, were discovered, featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security controls. The malware employs DLL sideloading and scheduled tasks for persistence and uses dedicated C2 infrastructure hosted on Microsoft Azure. The campaigns show enhanced technical capabilities and operational resilience to maintain long-term espionage access.
Potential Impact
The identified malware variants enable persistent remote access for espionage purposes, targeting high-value individuals in multiple countries. The advanced evasion and persistence techniques, including AppDomainManager hijacking and DLL sideloading, allow the malware to disable security mechanisms and maintain stealthy long-term presence. The use of dedicated C2 infrastructure on Azure supports resilient command and control operations. While no known exploits in the wild are reported, the medium severity reflects the potential impact on targeted organizations' confidentiality and operational security.
Mitigation Recommendations
No official patches or vendor advisories are available for these malware variants. Organizations should focus on detecting and blocking indicators of compromise such as the identified domains and file hashes. Given the use of social engineering with personalized lures, user awareness training tailored to these tactics is recommended. Monitoring for suspicious scheduled tasks, DLL sideloading behaviors, and anomalous .NET application initialization may help detect infections. Since the C2 infrastructure is hosted on Azure, network monitoring for unusual outbound connections to known malicious domains is advised. Patch status is not yet confirmed — check the referenced vendor advisory from Unit 42 for updates.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/"]
- Adversary
- Screening Serpens
- Pulse Id
- 6a109360ffcb2c8229a150c7
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainbusiness-startup.org | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash628d831989787ee1b4ffee611cb2014b | — | |
hash810f8e3b88eb05f710c09552941d6f56 | — | |
hashcdbe76cdfdec8f7c09781b2ef0fdb7f4 | — | |
hashedcdba624ddb43c2a1dcf334aa493068 | — | |
hash0997b6c2fdc3af2de118db559c92ef510c60a994 | — | |
hash67f41dc48bfd0c0597295259bd3c0d3c09dfea34 | — | |
hashda11679653ef33952c3dc8d8850e43d7b8ac884a | — | |
hash0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864 | — | |
hash332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17 | — | |
hash38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d | — | |
hash43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa | — | |
hash44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250 | — | |
hash74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27 | — | |
hash8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b | — | |
hash9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84 | — | |
hash9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1 | — | |
hashb19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 | — | |
hashbc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad | — | |
hashd4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2 | — |
Threat ID: 6a141c73a5ae1af1aa8158f0
Added to database: 5/25/2026, 9:54:59 AM
Last enriched: 5/25/2026, 10:09:52 AM
Last updated: 5/25/2026, 12:02:02 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.