An Iran-linked cyber espionage group, Screening Serpens, has systematically targeted technology-sector professionals in the US, Israel, and the United Arab Emirates through highly tailored social engineering, often using fake recruitment lures. This campaign, active from mid-February through April 2026, exploited the precarity of labor by impersonating trusted brands and hiring platforms to trick workers into launching infection chains. The attacks, identified by Palo Alto Networks’ Unit 42, coincided with a regional conflict that began in the Middle East on February 28, 2026, revealing the expansion of inter-state rivalries into the digital realm, with workers as primary targets.
Screening Serpens, also tracked as UNC1549, Smoke Sandstorm, and Iranian Dream Job, is described by Unit 42 as an Iran-nexus advanced persistent threat group aligned with Iranian intelligence objectives. The group's operations focused on entities in the US, Israel, and the UAE, and likely two additional Middle Eastern entities. This targeting aligns with broader geopolitical competition for influence and resources in the region.
Exploiting Labor's Precarity
The cyberattacks leveraged the economic vulnerabilities of technology professionals. In one documented campaign, attackers deployed fake job documents and a "Hiring Portal" archive to manipulate technical personnel into initiating the infection chain. Another campaign, appearing to target an Israeli entity, delivered malware via an archive file impersonating an installer for a popular video conferencing platform. Unit 42 found no indication that the impersonated organization's infrastructure had been breached, indicating the brand was used solely for impersonation to deceive workers. These methods highlight how the pursuit of state intelligence objectives directly exploits the trust and professional aspirations of individual workers.
During the investigation, Unit 42 researchers identified six new remote access Trojan (RAT) variants developed and deployed between February and April 2026. These variants were categorized into two new malware families, MiniUpdate and MiniJunk V2, and were used in parallel espionage campaigns. The timing of their deployment indicated two coordinated waves of cyberattacks, with at least one variant compiled and deployed with specific timing instructions, demonstrating a calculated and sustained effort.
The most significant technical development in the group’s latest campaign was its use of AppDomainManager hijacking. This technique manipulates the initialization phase of .NET applications, allowing attackers to disable an application’s security mechanisms through a legitimate configuration file before the application fully starts. This sophisticated method left targeted organizations exposed to the multi-functional RATs, demonstrating the advanced capabilities employed in these state-backed operations.
The State's Digital Front
The timing of these campaigns closely aligned with the regional conflict that began in the Middle East on February 28, 2026, as well as with Operation Roaring Lion. This synchronization underscores how cyber warfare is integrated into broader state strategies, serving as a digital front in geopolitical struggles. The state, through its intelligence apparatus, utilizes these cyber operations to advance its interests, often at the expense of the security and privacy of workers and the stability of the digital commons.
Screening Serpens has been active since at least 2022, demonstrating increased technical capabilities and operational resilience in its recent activities. While historically focused on regional targets in the Middle East, more recent campaigns showed an expansion into additional arenas, indicating a growing reach for state-aligned cyber operations. As of April 2026, Screening Serpens activity shows no signs of slowing down, continuing to orchestrate sustained, adaptive global cyber campaigns.
Profiting from Conflict
Palo Alto Networks’ Unit 42, a private cybersecurity firm, issued a warning that organizations should expect further attempts in the near term and strengthen their defenses against potential compromise. This recommendation, while framed as a protective measure, simultaneously reinforces the market for cybersecurity services, allowing private capital to profit from the ongoing state-sponsored cyber conflict. The cycle of state-backed attacks and corporate defense mechanisms creates a perpetual demand for security solutions, turning geopolitical tensions into a source of surplus extraction for the cybersecurity industry, rather than addressing the root causes of inter-state conflict.