Unit 42’s latest research on Screening Serpens is a clean reminder that modern espionage does not always begin with a perimeter exploit. Sometimes it starts with a believable job opportunity, a familiar meeting link, or an application portal that looks routine enough for a busy technical employee to trust.
Screening Serpens — also tracked as UNC1549, Smoke Sandstorm, and Iranian Dream Job — is an Iran-nexus APT that Unit 42 says targeted organizations in the United States, Israel, the United Arab Emirates, and other Middle Eastern entities during activity observed from February through April 2026. The timing overlaps with regional conflict that began on February 28, and the campaign shows a high operating tempo, refreshed malware, and careful infrastructure rotation.
What Unit 42 reported
The campaign used highly tailored social engineering against technology-sector and engineering personnel. Unit 42 described lures that impersonated trusted brands, including recruitment-themed archives and meeting-related download pages. One infection chain used fake job requisitions and a nested “Hiring Portal” archive. Another used a lookalike meeting invitation that pushed the victim toward a malicious download.
The technical payloads matter. Unit 42 identified six new remote access Trojan variants grouped into two malware families: MiniUpdate and MiniJunk V2. The actor used DLL sideloading, target-specific command-and-control domains, and continued malware refinement across March and April. Later MiniUpdate variants added file chunking for more reliable exfiltration and rotated infrastructure that impersonated health and finance entities.
The standout technique is AppDomainManager hijacking. In plain English: the attacker abused a legitimate .NET application configuration path so malicious code could run before the real application fully started. That gives the malware an opportunity to weaken runtime visibility, including telemetry defenders often depend on for .NET monitoring, before the payload settles in.
Why this matters to SMBs and government contractors
This is not only a nation-state problem for defense primes. Smaller contractors, subcontractors, managed service providers, software shops, telecom vendors, and professional services firms often sit close enough to sensitive work to be useful stepping stones. If your staff have access to customer environments, proposal data, cloud consoles, code repositories, controlled unclassified information, or partner portals, they are targetable.
The “Iranian Dream Job” pattern is especially dangerous because it routes around many traditional controls. A firewall may never see the initial trust-building conversation. Endpoint tooling may only see a user extracting an archive or launching what appears to be an installer. HR, recruiting, engineering, and security all own a piece of the defense.
Defensive takeaways
- Treat recruitment lures as a security scenario. Brief technical staff that unsolicited recruiter outreach, coding assessments, “hiring portals,” and meeting-client downloads can be intrusion paths — especially when they involve archives or executables.
- Block risky archive execution patterns. Use endpoint policy to reduce execution from user-writable temp, downloads, and extracted archive paths where possible.
- Monitor .NET abuse paths. Hunt for suspicious application config files, AppDomainManager-related keys, unusual local assemblies, and unexpected scheduled tasks created after installer activity.
- Watch for cloud-hosted lookalike infrastructure. Unit 42 noted C2 domains routed through target-specific infrastructure, including Azure-hosted domains. Do not assume cloud-hosted means trusted.
- Constrain developer and engineering access. Hardware-backed MFA, least privilege, separate admin accounts, conditional access, and strong device compliance reduce blast radius when a technical workstation is compromised.
- Connect HR and security workflows. Security awareness should cover interviews, recruiter messages, contract onboarding, and vendor collaboration — not just phishing emails.
Bulwark Black assessment
Screening Serpens is showing the direction of practical state-aligned intrusion work: tailored human targeting, legitimate-looking business workflows, commodity cloud infrastructure, and enough malware engineering to stay ahead of simple detections. For smaller organizations, the answer is not exotic tooling first. The answer is disciplined basics: reduce where code can execute, verify unexpected hiring and meeting workflows, harden identities, log what matters, and make sure technical teams know that “job opportunity” can be an attack path.
Source: Unit 42, “Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns.”
