An Iran-linked cyber espionage group targeted entities in the US, Israel, and the United Arab Emirates during a months-long campaign that coincided with the recent regional escalation, Palo Alto Networks’ Unit 42 said in a new report.
The group, known as Screening Serpens, is also tracked under the aliases UNC1549, Smoke Sandstorm, and Iranian Dream Job. Unit 42 described it as an Iran-nexus advanced persistent threat (APT) group aligned with Iranian intelligence objectives.
According to the report, the group targeted entities in the US, Israel, and the UAE, and likely two additional Middle Eastern entities. The research focused on cyberattacks carried out from mid-February through April 2026.
Unit 42 said the timing of the campaigns closely aligned with the regional conflict that began in the Middle East on February 28, 2026, as well as with Operation Roaring Lion. During the investigation, researchers identified six new remote access Trojan (RAT) variants that were developed and deployed between February and April 2026.
The six RAT variants were grouped into two new malware families, called MiniUpdate and MiniJunk V2. Unit 42 said the malware was used in parallel espionage campaigns and that the timing of the deployments indicated two coordinated waves of cyberattacks. At least one variant was compiled and deployed with specific timing instructions.
The most significant development in the group’s latest campaign was its use of a technique called AppDomainManager hijacking, Unit 42 said. The technique manipulates the initialization phase of .NET applications, allowing attackers to disable an application’s security mechanisms through a legitimate configuration file before the application fully starts.
That left targeted organizations exposed to the multi-functional RATs deployed in the attack, according to the report.
Iranian hacking group uses social engineering
Screening Serpens primarily targets technology-sector professionals through highly tailored social engineering, often using fake recruitment lures that impersonate trusted brands and hiring platforms, Unit 42 said. In one campaign, attackers used fake job documents and a “Hiring Portal” archive to trick technical personnel into launching the infection chain.
In another campaign that appeared to target an Israeli entity, the malware was delivered via an archive file that impersonated an installer for a popular video conferencing platform. Unit 42 said it found no indication that the impersonated organization’s infrastructure had been breached, adding that the attackers appeared to have used the brand only for impersonation.
Screening Serpens focuses on Middle East targets
The report said that Screening Serpens has been active since at least 2022 and has demonstrated increased technical capabilities and operational resilience in its recent activities. It has historically focused on regional targets in the Middle East, while more recent campaigns showed expansion into additional arenas.
“As of April 2026, Screening Serpens activity shows no signs of slowing down and has continued to orchestrate sustained, adaptive global cyber campaigns,” Unit 42 said. The company warned that organizations should expect further attempts in the near term and strengthen their defenses against potential compromise.
