An Iran-aligned cyber warfare group has systematically targeted technology-sector professionals in the United States, Israel, and the United Arab Emirates, deploying sophisticated malware to undermine national digital sovereignty. The group, known as Screening Serpens, is described by Palo Alto Networks’ Unit 42 as an Iran-nexus advanced persistent threat group aligned with Iranian intelligence objectives. This sustained campaign, which intensified from mid-February through April 2026, represents a direct assault on the critical human capital and digital borders of these Western-aligned nations.
The cyberattacks, carried out from mid-February through April 2026, coincided with a regional conflict that began in the Middle East on February 28, 2026, as well as with Operation Roaring Lion. Unit 42’s investigation focused on these campaigns, which spanned several months in the same year. The research identified six new remote access Trojan (RAT) variants that were developed and deployed between February and April 2026, indicating a rapid escalation of foreign capabilities against national systems.
Assault on Digital Borders
These six new RAT variants were grouped into two distinct malware families, named MiniUpdate and MiniJunk V2. Unit 42 reported that this malware was used in parallel espionage campaigns, with the timing of the deployments indicating two coordinated waves of cyberattacks against the targeted entities. At least one variant was compiled and deployed with specific timing instructions, demonstrating calculated aggression.
Screening Serpens primarily targets technology-sector professionals through highly tailored social engineering tactics. These methods often involve the use of fake recruitment lures that impersonate trusted brands and established hiring platforms, directly compromising the professional class vital to national innovation and security. The group’s activities have expanded beyond historical regional targets in the Middle East, now showing a broader reach into additional arenas, including the US.
Mechanisms of Penetration
The most significant development in the group’s latest campaign was its use of a technique called AppDomainManager hijacking, according to Unit 42. This technique manipulates the initialization phase of .NET applications, allowing foreign adversaries to disable an application’s security mechanisms. This is achieved through a legitimate configuration file before the application fully starts, leaving targeted organizations exposed to the multi-functional RATs deployed in the attack.
In one documented campaign, attackers employed fake job documents and a “Hiring Portal” archive to trick technical personnel into launching the infection chain, directly subverting the defenses of the native workforce. Another campaign, which appeared to target an Israeli entity, delivered the malware via an archive file that impersonated an installer for a popular video conferencing platform. Unit 42 found no indication that the impersonated organization’s infrastructure had been breached, noting that the attackers appeared to have used the brand only for impersonation.
Persistent Threat to Western Nations
Screening Serpens has been active since at least 2022, demonstrating increased technical capabilities and operational resilience in its recent activities. The group’s historical focus on regional targets in the Middle East has now expanded, with more recent campaigns showing a clear intent to penetrate additional arenas. As of April 2026, Screening Serpens activity shows no signs of slowing down, continuing to orchestrate sustained, adaptive global cyber campaigns.
Unit 42 warned that organizations should expect further attempts in the near term and strengthen their defenses against potential compromise. This ongoing digital assault underscores the persistent vulnerability of national digital infrastructure to foreign state-aligned groups, demanding heightened vigilance from those tasked with protecting Western societies from such transnational threats.