New Screening Serpens Cyberattacks Target Global Technology Professionals

Security researchers have discovered an aggressive cyber espionage campaign targeting multiple nations. Specifically, Unit 42 recently exposed a wave of sophisticated Screening Serpens cyberattacks. This Iran-nexus advanced persistent threat group also goes by names like UNC1549 and Smoke Sandstorm. According to the threat intelligence report, the latest activity spans from mid-February through April 2026. Consequently, corporate network administrators must review their infrastructure logs immediately to identify signs of compromise.

The geographic scope of this offensive operation focuses primarily on critical strategic targets. To begin with, the group targeted entities in the United States, Israel, and the United Arab Emirates. In addition, analysts believe the threat actors compromised two additional Middle Eastern organizations. The report notes: “The timing of these campaigns aligns closely with that of the regional conflict that started in the Middle East on Feb. 28, 2026.” Therefore, political events continue to trigger elevated digital threat levels across global industrial sectors.

Highly Tailored Recruitment Lures

The adversary group relies heavily on deception to establish an initial foothold. Specifically, “Screening Serpens primarily targets technology sector professionals, using highly tailored social engineering.” For instance, the operators create personalized recruitment lures to trick prospective job seekers. These deceptive invitations impersonate trusted corporate brands and popular online hiring platforms. Consequently, unsuspecting users run the initial file thinking they are applying for a premium career role.

Furthermore, the malicious emails feature several different delivery mechanisms. Threat actors often send fake job requisitions directly to targeted corporate endpoints. Alternatively, they distribute spoofed video conferencing meeting invitations to force user interaction. By leveraging these sophisticated social engineering tactics, the hackers successfully execute their multi-stage infection chain. Thus, the organization suffers an immediate breach due to localized employee manipulation.

Evolution of Advanced Execution Tradecraft

Once the victim initiates the process, the attack implements highly sophisticated evasion techniques. Security analysts observed a massive shift in the group’s technical capabilities. The report states: “We observed a significant evolution in the group’s tradecraft: For the first time, Screening Serpens has fused its standard DLL sideloading techniques with advanced AppDomain Manager hijacking.” Consequently, this structural fusion allows the malware to bypass standard defensive configurations effortlessly.

To achieve this stealth, the malware manipulates legitimate system files. Specifically, the operators weaponize the native .NET initialization process. In addition, they alter standard configuration components to load malicious payloads silently. Because of this trick, the code executes before standard endpoint tools can initialize fully. Ultimately, the attackers establish a persistent foothold that traditional security solutions cannot see.

Discovery of Six New RAT Variants

The persistent access allows the group to deploy more complex tools. During their analysis, researchers discovered six new remote access Trojan variants. These custom implants surfaced between February and April 2026. Furthermore, analysts grouped these six distinct items into two entirely new malware families. Therefore, the group possesses a highly diverse arsenal to maintain control over infected networks.

These newly engineered families allow operators to manipulate local files smoothly. For example, the Trojans support direct data harvesting capabilities. They also enable continuous exfiltration of sensitive corporate documents back to command servers. Simultaneously, the group maintains complete operational oversight during the campaign. Thus, these dangerous Screening Serpens cyberattacks inflict long-term damage before discovery occurs.

Hardening Corporate Infrastructure and EDR

Organizations must update their active defenses to combat these stealthy execution vectors. To achieve this, the report notes that “defenders should ensure that EDR tools are fine-tuned to detect DLL sideloading and AppDomain Manager hijacking.” Consequently, this specialized configuration helps security teams identify behavioral anomalies immediately. Furthermore, defenders can spot unauthorized modules loading through trusted, signed binaries.

Ultimately, threat monitoring requires a complete structural focus on execution behavior rather than standard hashes. In addition, security managers should treat AppDomain manipulation as a critical high-risk indicator. This strategy helps teams catch advanced persistent threats early. Because the group remains highly active, companies must build durable security architectures today.