Iranian APT Screening Serpens Launches Coordinated Espionage Campaigns Targeting US, Israeli, and UAE Tech Firms with New RATs
What Happened — Unit 42 observed six new remote‑access‑trojan (RAT) variants deployed by the Iran‑linked APT group Screening Serpens between February and April 2026. The group used highly tailored social‑engineering lures (fake recruitment offers) and a novel AppDomainManager hijacking technique to bypass .NET security controls.
Why It Matters for TPRM —
- Espionage‑focused malware can exfiltrate proprietary code, product roadmaps, and intellectual property from third‑party technology providers.
- The use of supply‑chain‑friendly recruitment lures expands the attack surface to vendors and contractors, increasing indirect risk to your organization.
- New RAT families demonstrate rapid capability growth, indicating the group may target additional sectors or partners in the coming months.
Who Is Affected — Technology‑sector companies (software development, SaaS platforms, cloud service providers) in the United States, Israel, United Arab Emirates, and potentially other Middle‑Eastern entities.
Recommended Actions —
- Review any third‑party relationships with technology vendors located in the listed regions.
- Validate that vendors enforce multi‑factor authentication and least‑privilege access for recruitment portals and HR systems.
- Ensure endpoint detection and response (EDR) solutions can detect the AppDomainManager hijacking pattern and the six identified RAT families.
Technical Notes — Attack vector: social‑engineering recruitment lures → malicious payload delivered via AppDomainManager hijack → multi‑functional RATs (DLL sideloading, credential dumping, data exfiltration). No public CVE references; the technique exploits .NET configuration handling. Source: Palo Alto Unit 42 – Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns