Palo Alto Networks Unit 42 has published new intelligence on Screening Serpens, an Iran-nexus APT group (also tracked as UNC1549 and Smoke Sandstorm), documenting six previously undisclosed remote access Trojan variants deployed against organisations in the United States, Israel, and the United Arab Emirates between mid-February and late April 2026. The campaigns — timed to coincide with the escalation of regional conflict from 28 February 2026 — targeted professionals in aerospace, defence manufacturing, and telecommunications, and demonstrate a marked increase in the group’s operational tempo and technical sophistication.
What the Research Reveals
The six RAT variants belong to two new malware families designated MiniUpdate and MiniJunk V2. Unit 42 tracked deployment activity across a series of coordinated campaign waves: initial payload delivery to a Middle Eastern target in mid-February, samples uploaded from US infrastructure in late March, and further activity against UAE and Middle Eastern entities on 15 and 17 April 2026.
The most technically significant development is the group’s adoption of AppDomainManager hijacking — a .NET-specific technique that manipulates the application initialisation phase to disable security controls before the target application fully loads. By supplying a malicious configuration file, the attacker causes .NET to load a rogue assembly during startup, executing attacker code before endpoint detection and response tooling has an opportunity to intercept it. This technique is specifically designed to bypass EDR products that rely on early-process hooking.
Command and control infrastructure is routed through Azure-hosted domains — a living-off-trusted-services approach consistent with other Iranian and Chinese APT operations documented in recent years. Each target or variant is assigned a dedicated set of three to five unique C2 domains, preventing cross-contamination between intrusion sets and reducing the intelligence value of any single domain takedown.
Initial access relies on personalised spear-phishing lures themed around job listings. In one campaign, attackers impersonated a major commercial airline, distributing fabricated job applications containing malware-laden ZIP archives. DLL sideloading is used for execution, loading the RAT payload through a legitimate, signed binary. The infection chain is consistent with the group’s historically documented “Iranian Dream Job” approach — a technique also employed by North Korea’s Lazarus Group against similar target sets.
Why This Matters for Affected Sectors
The target profile — aerospace, defence manufacturing, telecommunications — places this campaign squarely within the intelligence collection priorities of Iranian state-sponsored actors. The timing correlation with the February 2026 regional conflict is not coincidental: Unit 42 assess the surge in operational tempo as a direct response to geopolitical developments, consistent with patterns seen in previous Iranian APT activity during periods of regional escalation.
For telecommunications operators, the risk extends beyond direct targeting. Telecom organisations hold transit data, subscriber records, and communications intelligence that support Iran’s broader surveillance and counterintelligence objectives. The use of Azure infrastructure makes detection harder for organisations that do not apply rigorous scrutiny to outbound traffic destined for major cloud providers — traffic that many security stacks treat as inherently trusted.
For aerospace and defence suppliers, the threat is compounded by the supply-chain dimension. Screening Serpens has historically expanded from primary targets to their contractor networks once an initial foothold is established, consistent with the broader pattern of adversarial interest in the industrial base supporting Western and allied defence programmes.
Recommended Actions
For security operations teams:
- Review EDR telemetry for AppDomainManager hijacking indicators: unusual
.runtimeconfig.jsonmodifications, unexpected .NET assembly loads during application startup, and DLL loads from writable directories during known-legitimate process initialisation - Apply threat-hunting queries for outbound connections to newly registered or low-reputation Azure-hosted domains (*.azurewebsites.net, *.blob.core.windows.net, *.windows.net) from endpoints in aerospace, defence, or engineering business units
- Check email gateway logs for job-themed phishing lures containing ZIP attachments, particularly those impersonating aviation or defence industry brands
For risk and intelligence teams:
- Brief HR and talent acquisition functions — the job-lure social engineering vector specifically targets professionals actively seeking employment, a population that may interact with unsolicited outreach outside normal corporate security controls
- Review third-party and contractor access to sensitive programme data; Screening Serpens supply-chain pivoting represents a material risk to primes and integrators whose contractors may be separately targeted
- Request indicators of compromise from Unit 42’s published research and apply across SIEM, email gateway, and proxy platforms