Who Gets Hit First
An Iran-linked cyber espionage group targeted entities in the US, Israel and the United Arab Emirates during a months-long campaign that coincided with the recent regional escalation, Palo Alto Networks’ Unit 42 said in a new report. The group, known as Screening Serpens, is also tracked under the aliases UNC1549, Smoke Sandstorm and Iranian Dream Job. Unit 42 described it as an Iran-nexus advanced persistent threat group aligned with Iranian intelligence objectives.
The targets were not abstract. According to the report, the group targeted entities in the US, Israel and the UAE, and likely two additional Middle Eastern entities. The research focused on cyberattacks carried out from mid-February through April 2026. Unit 42 said the timing of the campaigns closely aligned with the regional conflict that began in the Middle East on February 28, 2026, as well as with Operation Roaring Lion. During the investigation, researchers identified six new remote access Trojan variants that were developed and deployed between February and April 2026.
How the Apparatus Worked
The six RAT variants were grouped into two new malware families, called MiniUpdate and MiniJunk V2. Unit 42 said the malware was used in parallel espionage campaigns and that the timing of the deployments indicated two coordinated waves of cyberattacks. At least one variant was compiled and deployed with specific timing instructions.
The most significant development in the group’s latest campaign was its use of a technique called AppDomainManager hijacking, Unit 42 said. The technique manipulates the initialization phase of .NET applications, allowing attackers to disable an application’s security mechanisms through a legitimate configuration file before the application fully starts. That left targeted organizations exposed to the multi-functional RATs deployed in the attack, according to the report.
The report said Screening Serpens has been active since at least 2022 and has demonstrated increased technical capabilities and operational resilience in its recent activities. It has historically focused on regional targets in the Middle East, while more recent campaigns showed expansion into additional arenas. As of April 2026, Screening Serpens activity shows no signs of slowing down and has continued to orchestrate sustained, adaptive global cyber campaigns, Unit 42 said.
Targets, Lures, and Brand Theft
Screening Serpens primarily targets technology-sector professionals through highly tailored social engineering, often using fake recruitment lures that impersonate trusted brands and hiring platforms, Unit 42 said. In one campaign, attackers used fake job documents and a “Hiring Portal” archive to trick technical personnel into launching the infection chain. In another campaign that appeared to target an Israeli entity, the malware was delivered via an archive file that impersonated an installer for a popular video conferencing platform.
Unit 42 said it found no indication that the impersonated organization’s infrastructure had been breached, adding that the attackers appeared to have used the brand only for impersonation. That detail matters: the machinery of deception did not need to break the brand’s systems to exploit the trust built around them. It only needed the appearance of legitimacy and the pressure of recruitment, work, and routine digital habits.
The company warned that organizations should expect further attempts in the near term and strengthen their defenses against potential compromise. In the language of institutional security, that means the burden remains on targeted organizations to absorb the next wave of intrusion while the campaign continues to adapt.
The report’s timeline places the cyberattacks squarely alongside the regional conflict that began in the Middle East on February 28, 2026, and Operation Roaring Lion. Unit 42 said the campaigns closely aligned with that escalation, with six new remote access Trojan variants developed and deployed between February and April 2026. The result was not a one-off strike but a sustained, coordinated campaign built to keep moving.