Screening Serpens (UNC1549): Iran-Nexus Espionage and the MiniUpdate RAT (May 2026)

On 22 May 2026, Palo Alto Networks' Unit 42 published an analysis of an Iran-nexus cyberespionage group it tracks as Screening Serpens — also known in industry reporting as UNC1549, Smoke Sandstorm, and "Iranian Dream Job." The report covers a campaign Unit 42 observed between February and April 2026 against entities in the United States, Israel, the United Arab Emirates, and two additional Middle Eastern countries. It documents two newly identified remote-access trojan families and a tradecraft profile built around highly tailored social engineering.

The timing is relevant. The campaign window overlaps a period of acute regional tension following the conflict that began in late February 2026, and Iran-nexus espionage activity has been a recurring theme in May 2026 threat reporting from multiple vendors. Screening Serpens fits a long-observed Iranian pattern: aerospace, defense, and adjacent sectors approached through fake job opportunities, then compromised with malware delivered under cover of legitimate executables.

This post summarizes Unit 42's findings, marks what is attributed versus inferred, and turns the technical detail into detection and response guidance. Attribution to an Iran-nexus actor is Unit 42's assessment; we report it accordingly.

TL;DR

• Unit 42 published its Screening Serpens (UNC1549 / Smoke Sandstorm / "Iranian Dream Job") analysis on 22 May 2026, covering activity from February to April 2026.
• Targets spanned the US, Israel, the UAE, and two further Middle Eastern countries, consistent with prior Iran-nexus interest in aerospace, defense, and related sectors.
• The group deployed two new RAT families: MiniUpdate (four variants, 16-18 opcodes; file exfiltration, command execution, persistence) and MiniJunk V2 (added obfuscation and multi-stage execution).
• Initial access relied on highly tailored social engineering — spoofed job postings and video-conferencing lures — delivered via weaponized ZIP archives containing a legitimate executable, a malicious DLL, and a decoy document.
• Execution used DLL sideloading, AppDomainManager hijacking (manipulating .NET config to disable ETW and bypass signature validation), scheduled-task persistence, and Azure-hosted C2 domains.
• Key action: this is a social-engineering and sideloading problem. Harden against job-lure phishing, hunt for AppDomainManager hijacking and ETW tampering, and monitor for sideloading from archive-extracted directories.

What happened

Unit 42's report attributes the activity to Screening Serpens, mapping it to the industry aliases UNC1549, Smoke Sandstorm, and "Iranian Dream Job." The "Dream Job" naming reflects the group's defining lure: fabricated employment opportunities, often in aerospace and defense, used to build rapport before delivering malware.

During the February-to-April 2026 window, Unit 42 observed operations against entities in the US, Israel, the UAE, and two other Middle Eastern nations. The group deployed two newly identified RAT families across these targets. Unit 42 frames the campaign as a continuation and evolution of Screening Serpens' established tradecraft rather than a wholesale change in approach.

How the attack worked

Initial access: tailored job and meeting lures

Screening Serpens did not rely on mass phishing. Unit 42 describes highly tailored social engineering: spoofed job postings and video-conferencing lures crafted to impersonate global corporations and tailored to individual targets. The payload arrived as a weaponized ZIP archive bundling three components: a legitimate signed executable, a malicious DLL, and a decoy document to occupy the victim's attention.

Execution: DLL sideloading and AppDomainManager hijacking

When the victim ran the legitimate executable from the extracted archive, it sideloaded the malicious DLL — the same trusted-binary-cover technique used by many state-aligned actors. Unit 42 highlights a second, more evasive mechanism: AppDomainManager hijacking, in which the actor manipulates a .NET application's configuration file to load attacker code into a managed process. Unit 42 reports this was used to disable Event Tracing for Windows (ETW), bypass signature validation, and prevent safe assembly redirections — a deliberate, layered effort to blind host telemetry.

The configuration-hijacking pattern looks structurally like the following. This is an illustrative, non-functional sketch, not a working sample:

<!-- Illustrative AppDomainManager hijack via .NET config (not functional) -->
<configuration>
  <runtime>
    <appDomainManagerAssembly value="MaliciousAssembly, Version=1.0.0.0, ..."/>
    <appDomainManagerType value="Loader.EntryPoint"/>
  </runtime>
</configuration>
<!-- A legitimate .NET EXE launched beside this config loads attacker code
     into its own trusted process at startup. -->

Payloads: MiniUpdate and MiniJunk V2

Two RAT families were deployed:

• MiniUpdate — Unit 42 documented four variants with roughly 16 to 18 opcodes each, supporting file exfiltration, arbitrary command execution, and persistence.
• MiniJunk V2 — an evolved iteration adding obfuscation and multi-stage execution chains, raising the cost of static analysis.

Persistence used scheduled tasks, and command-and-control traffic was routed through Azure-hosted domains — a living-off-trusted-cloud choice that helps the traffic blend with legitimate enterprise activity and complicates simple domain-reputation blocking.

What detection looks like

Concrete, prioritized signals:

• AppDomainManager hijacking and ETW tampering. Hunt for .config files referencing appDomainManagerAssembly / appDomainManagerType, and for the environment variables (APPDOMAIN_MANAGER_ASM, APPDOMAIN_MANAGER_TYPE, COMPLUS_*) that can trigger it. Alert on processes disabling ETW providers.
• Sideloading from archive-extracted paths. Watch for signed executables run from Downloads, temp, or freshly extracted ZIP directories loading unsigned or mismatched DLLs.
• Scheduled-task persistence. Monitor for new scheduled tasks created shortly after archive extraction or document open, especially pointing at user-writable paths.
• Azure-hosted C2. Long-lived or beaconing outbound connections to recently registered Azure domains from user endpoints, particularly from processes that have no business making them.
• Job-lure phishing. For targeted sectors (aerospace, defense, technology), elevate scrutiny of recruitment-themed inbound contact, especially messages steering recipients to download "assessment" archives or join unfamiliar video calls.

Illustrative hunt logic for the .NET hijack, adapt to your tooling:

# Illustrative — adapt field names to your EDR/SIEM.
ALERT WHEN
  file.path ENDSWITH ".config"
  AND file.content MATCHES "appDomainManager(Assembly|Type)"
  AND created_within = "10m of archive extraction or office doc open"

What to do Monday morning

Ordered by urgency:

1. Brief high-risk staff on job-themed lures. Aerospace, defense, and technology employees are the bullseye. Warn against downloading recruiter "assessment" archives or joining unsolicited video calls, and give them a fast path to report.
2. Hunt for AppDomainManager hijacking. Sweep endpoints for suspicious .config files and the associated environment variables, and for ETW-disable behavior. This is the campaign's most distinctive, highest-fidelity artifact.
3. Detect sideloading from extracted archives. Add detections for signed binaries in user-download/temp paths loading suspect DLLs; quarantine and triage hits.
4. Audit recent scheduled tasks on endpoints in targeted business units; investigate any created near document opens or archive extraction.
5. Review outbound connections to recently registered Azure domains from endpoints, and block or sinkhole confirmed C2.
6. Pull and apply Unit 42's published IOCs (hashes, domains) into EDR, SIEM, and mail filtering.

Why this keeps happening

Iranian espionage groups have leaned on the "dream job" playbook for years because it works against exactly the high-value targets they want: skilled professionals in defense and aerospace who are accustomed to recruiter outreach and willing to run files a "prospective employer" sends them. The technical chain — DLL sideloading, AppDomainManager hijacking, ETW tampering, cloud-hosted C2 — is a steady escalation in evasion rather than a reinvention. Each layer is chosen to defeat a specific defense: sideloading defeats signature trust, AppDomainManager hijacking and ETW tampering defeat host telemetry, and Azure C2 defeats reputation-based blocking.

Multiple vendors flagged elevated Iran-nexus activity in the spring of 2026 amid regional conflict, and ESET separately reported an uptick in one Iran-nexus group's operations after the February 2026 conflict began. Screening Serpens is one well-documented thread in that broader picture.

The structural fix

Social engineering is a human-layer problem that no scanner fully solves, but the post-compromise chain offers leverage. Faster detection of the sideloading and AppDomainManager techniques shrinks dwell time, and that depends on preserving the telemetry the actor tries to disable — making ETW-tampering and config-hijack detections a priority. On the software-integrity side, verifying that executables and their loaded libraries match expected provenance via SLSA provenance and Sigstore/Cosign raises the bar for trusted-binary abuse, and policy enforcement can flag the unexpected loading of unsigned modules. For organizations triaging the exploitable surface that follows a foothold, reachability analysis helps prioritize what an intruder could actually reach. These reduce blast radius and dwell time; they do not prevent a tailored lure from landing.

What we know we don't know

Unit 42's attribution to an Iran-nexus actor is an assessment based on tooling, victimology, and historical overlap with UNC1549 / Smoke Sandstorm, not a government attribution. The two unnamed Middle Eastern target countries are not disclosed. The success rate of the campaign — how many lures converted to compromise — is not quantified in the public report, and the relationship between Screening Serpens and other Iranian clusters is, as always, subject to revision as the community correlates evidence. Treat the tradecraft and IOCs as solid and the cluster boundaries as the current best assessment.

References

• Tracking Iranian APT Screening Serpens' 2026 Espionage Campaigns — Unit 42, Palo Alto Networks (22 May 2026)
• The Iranian Cyber Capability 2026 — Trellix
• ESET Research APT Report — ESET (28 May 2026)
• Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia — Unit 42
• Safeguard: SLSA provenance, Sigstore, Policy enforcement, Reachability analysis, Incident response, CISO