Screening Serpens: An Iran-Nexus APT Is Making Its Targets' Own .NET Software Disable Its Defenses

Screening Serpens is not bypassing its targets' defenses — it is making the targets' own software turn those defenses off. Palo Alto Networks' Unit 42 reports that the Iran-nexus group has, for the first time, fused its standard DLL-sideloading technique with AppDomainManager hijacking, a method that manipulates the initialization phase of a .NET application to proactively disable that application's own security mechanisms through a legitimate configuration file. With the door held open from the inside, the group deploys multi-functional remote access trojans — Unit 42 documented six new RAT variants built and deployed between February and April 2026. It is a defense-evasion technique that endpoint detection tuned for 'malicious behavior' can easily miss, because the disabling step looks like an ordinary .NET application starting up.

SANTA CLARA, CALIFORNIA — Palo Alto Networks' Unit 42 has published research tracking Screening Serpens, an Iran-nexus advanced persistent threat group conducting cyber-espionage aligned with Iranian intelligence objectives, that for the first time fuses the group's standard DLL-sideloading tradecraft with a technique called AppDomainManager hijacking. AppDomainManager hijacking manipulates the initialization phase of .NET applications to proactively disable the applications' own security mechanisms through a legitimate configuration file; with the target software's defenses switched off, Screening Serpens deploys multi-functional remote access trojans, and Unit 42 documented six new RAT variants the group developed and deployed between February and April 2026. The campaign struck entities in the United States, Israel, and the United Arab Emirates, plus two likely additional Middle Eastern entities — up to five countries in total — concentrating on the technology and defense sectors, and the research was published across the May 21-22, 2026 coverage cycle by Unit 42, Cybersecurity Dive, and Industrial Cyber.

What Happened

The New Trick — Making .NET Software Disable Its Own Defenses

The defining detail in the Screening Serpens campaign is not the volume of malware — it is one technique. Unit 42 reports that, for the first time, the group has fused its long-standing DLL-sideloading method with AppDomainManager hijacking. AppDomainManager hijacking abuses a legitimate feature of the .NET runtime: when a .NET application starts, it reads a configuration file that can specify a custom AppDomainManager assembly to load during initialization. By placing an attacker-controlled configuration file alongside a legitimate signed .NET application, the group manipulates that initialization phase to proactively disable the application's own security mechanisms before the program has finished loading. The group is not fighting past the target's defenses; it is convincing the target's own software to switch them off, then walking through. Once the in-application protections are down, Screening Serpens deploys its remote access trojans through the open door.

Six New RATs Built in a Three-Month Window

With a target application's defenses disabled, Screening Serpens delivers multi-functional RATs that give operators broad control over a compromised host. Unit 42 documented six new RAT variants that the group developed and deployed between February and April 2026 — a notable rate of in-house tooling output across a three-month window, and an indicator that the group is actively engineering, not merely reusing, its malware. Unit 42 observed two RAT families across the campaign overall. The brief deliberately does not publish names for the six variants; defenders should rely on the indicator-of-compromise set in the Unit 42 research rather than any variant labels circulating elsewhere. The combination matters: a fresh evasion technique paired with freshly built payloads is a group investing in both halves of an intrusion at once.

Tailored Lures — Fake Jobs and Spoofed Meeting Invitations

Screening Serpens reaches its targets through tailored social engineering rather than mass phishing. Unit 42 reports two recurring lure types: fake job requisitions and spoofed video-conference meeting invitations. Both are precision instruments aimed at specific roles. A fabricated job posting is built to reach recruiting, human-resources, and business-development staff, and engineering candidates at technology and defense firms; a spoofed meeting invitation exploits the routine reflex of accepting a calendar request from an apparently known contact. Unit 42 notes the group increased its operations following the regional conflict that began in February 2026, and that as of April 2026 the activity shows no signs of slowing — a tempo that places the targeted sectors on continuing notice.

Scope and Impact

Screening Serpens does not arrive in isolation. It is the Iran entry in a 2026 nation-state cluster that The CyberSignal has tracked across the year — and the cluster has a clear through-line. Read it alongside China's Webworm, which moved its command-and-control traffic onto Discord and OneDrive to hide inside trusted cloud services, the China-nexus Showboat telecom-espionage operation, and DPRK's Kimsuky deploying LLM-developed malware against the defense sector. Each of these groups is converging on the same conclusion: it is safer and quieter to abuse a legitimate mechanism than to deploy obviously hostile tooling. Screening Serpens' AppDomainManager hijacking is the Iranian expression of that idea.

The scope of the campaign is bounded but pointed. Unit 42 names entities in the United States, Israel, and the United Arab Emirates, and assesses that two further likely Middle Eastern entities were also targeted — up to five countries in total — with the activity concentrated on the technology and defense sectors. The group is also not new to the regional contest: Iran-nexus operators have been a persistent fixture of the 2026 threat landscape, from MuddyWater pairing Chaos ransomware with a false-flag misdirection to the longer historical arc Symantec traced in its Fast16 research into pre-Stuxnet sabotage tooling. Screening Serpens' surge after the February 2026 regional conflict fits that pattern: for this actor, geopolitical escalation is a leading indicator of operational tempo.

Several things about this campaign are deliberately not confirmed, and this account should not imply otherwise. Unit 42's attribution is 'Iran-nexus' and 'aligned with Iranian intelligence objectives' — not a direct attribution to a specific Iranian government or intelligence body, and that hedge should be preserved. The identities of the targeted U.S., Israeli, and UAE entities are not public, nor are the identities of the two likely additional Middle Eastern entities. The names of the six RAT variants have not been published. Whether any of the espionage operations succeeded in exfiltrating data — and if so, what — is not established, and the group's relationship to other named Iranian APTs is not confirmed. Exposure to a tailored lure is not the same as a successful intrusion, and the research does not claim a fixed victim count.

Response and Attribution

For SOC and detection-engineering teams, the central instruction is to hunt for AppDomainManager hijacking directly, because the technique is built to defeat behavior-based detection. Monitor for unexpected or recently modified .config files paired with .NET applications, and for .NET processes loading an AppDomainManager assembly from a non-standard path; the malicious step looks like legitimate application initialization, so signature-based and pure 'malicious behavior' detection will miss it. Continue to hunt for DLL sideloading against legitimate signed .NET applications, and treat a disabled in-application security mechanism as a detection signal in its own right rather than a benign configuration state. Teams should ingest the Unit 42 indicator-of-compromise set and sweep telemetry back to February 2026, when the documented activity began. Hardening .NET application configurations matters too — review whether .config files can be written by lower-privileged users or processes, since that writeability is what makes the technique possible.

For organizations in the technology and defense sectors across the U.S., Israel, the UAE, and the broader Middle East, the practical message is that you are inside the documented target set. Brief staff on the specific lures Unit 42 named — fake job requisitions and spoofed video-conference meeting invitations — because recruiting, HR, and business-development teams are the human attack surface this group is built to reach. Threat-intelligence teams should treat the February 2026 regional conflict as the operational trigger it appears to be: for this actor, geopolitical escalation is a leading indicator of tempo. For CISOs, Screening Serpens is best understood as the Iran entry in the 2026 nation-state cluster, and the through-line for the board is uncomfortable but clear — when a group can make a target's own software disable its protections through a legitimate configuration mechanism, a security model built on 'block known-bad' is structurally losing to adversaries who abuse known-good.

The CyberSignal Analysis

Signal 01 — The Group Is Not Bypassing Defenses, It Is Switching Them Off

Most coverage of an espionage campaign leads with the malware count, and six new RATs is a real number. But the editorial signal in Screening Serpens is the AppDomainManager-hijacking technique, because it changes the defender's problem rather than adding to it. A conventional intrusion fights past a security control — and a security control that is fought past tends to leave traces a defender can detect. Screening Serpens does something categorically different: it manipulates a legitimate .NET initialization mechanism so the target application disables its own security before the malware ever runs. There is no exploit and no flaw in the .NET runtime here — the configuration feature is working as designed. That is why endpoint detection focused on 'malicious behavior' can miss it: the disabling step looks like an ordinary application starting up. Defending against this means treating a quietly disabled in-application protection as hostile until proven otherwise.

Signal 02 — Iran's Move in a Pattern China and DPRK Already Made

Screening Serpens is not an outlier. It is the Iranian instance of a pattern that defined the 2026 nation-state cluster. China's Webworm hid its command-and-control inside Discord and cloud storage; DPRK's Kimsuky leaned on LLM-developed code; and now Iran's Screening Serpens manipulates a legitimate Windows configuration mechanism. Three unrelated state-aligned programs, three different regions, one converging conclusion: abusing a known-good mechanism is quieter, cheaper to maintain, and harder to detect than deploying obviously-malicious tooling. The strategic takeaway for security leaders is that this is not three separate problems to be solved with three separate signatures. It is one shift in adversary economics, and the defensive answer is the same across all three — assume legitimate mechanisms will be abused, and build detection around anomalous use of trusted features rather than around catalogues of bad files.

Signal 03 — Geopolitics Is the Forecast for This Actor's Tempo

Unit 42's observation that Screening Serpens increased operations after the regional conflict that began in February 2026 — and shows no signs of slowing as of April — is more than a timeline note. It is a planning input. For an Iran-nexus group conducting espionage aligned with Iranian intelligence objectives, operational tempo is coupled to the geopolitical environment, which means a threat-intelligence team can use regional escalation as a leading indicator of when this actor will be most active. Organizations in the technology and defense sectors across the U.S., Israel, the UAE, and the broader Middle East should treat periods of heightened regional tension as periods of heightened targeting risk, and pre-position their hunting and staff-awareness efforts accordingly. The campaign is a reminder that for state-aligned actors, the threat model is not static — it tracks the news.

Sources