HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Iranian APT Screening Serpens Deploys New RAT Families in Coordinated Espionage Campaigns Against US, Israeli, and UAE Tech Firms

Screening Serpens, an Iran‑linked APT, launched six new remote‑access trojan variants between February and April 2026, targeting technology companies in the United States, Israel, and the United Arab Emirates. The group leveraged tailored recruitment lures and a novel AppDomainManager hijack to bypass .NET defenses, raising third‑party risk for vendors handling sensitive IP.

LiveThreat™ Intelligence · 📅 May 23, 2026· 📰 unit42.paloaltonetworks.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
Medium
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
unit42.paloaltonetworks.com

Iranian APT Screening Serpens Launches Coordinated Espionage Campaigns Targeting US, Israeli, and UAE Tech Firms with New RATs

What Happened — Unit 42 observed six new remote‑access‑trojan (RAT) variants deployed by the Iran‑linked APT group Screening Serpens between February and April 2026. The group used highly tailored social‑engineering lures (fake recruitment offers) and a novel AppDomainManager hijacking technique to bypass .NET security controls.

Why It Matters for TPRM

  • Espionage‑focused malware can exfiltrate proprietary code, product roadmaps, and intellectual property from third‑party technology providers.
  • The use of supply‑chain‑friendly recruitment lures expands the attack surface to vendors and contractors, increasing indirect risk to your organization.
  • New RAT families demonstrate rapid capability growth, indicating the group may target additional sectors or partners in the coming months.

Who Is Affected — Technology‑sector companies (software development, SaaS platforms, cloud service providers) in the United States, Israel, United Arab Emirates, and potentially other Middle‑Eastern entities.

Recommended Actions

  • Review any third‑party relationships with technology vendors located in the listed regions.
  • Validate that vendors enforce multi‑factor authentication and least‑privilege access for recruitment portals and HR systems.
  • Ensure endpoint detection and response (EDR) solutions can detect the AppDomainManager hijacking pattern and the six identified RAT families.

Technical Notes — Attack vector: social‑engineering recruitment lures → malicious payload delivered via AppDomainManager hijack → multi‑functional RATs (DLL sideloading, credential dumping, data exfiltration). No public CVE references; the technique exploits .NET configuration handling. Source: Palo Alto Unit 42 – Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

📰 Original Source
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →