Full Report
Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns. The post Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns appeared first on Unit 42.
Analysis Summary
Based on the Unit 42 intelligence report provided, here is the structured summary of the threat actor **Screening Serpens**.
# Threat Actor: Screening Serpens
## Attribution & Identity
* **Identification:** An Iranian-affiliated Advanced Persistent Threat (APT) group.
* **Aliases:** Cobalt Mirage, UNC3890.
* **Known Associations:** Unit 42 identifies them as an independent entity often linked to Iranian state interests, specifically focused on intelligence collection rather than purely disruptive operations.
## Activity Summary
The actor has launched a series of 2024 campaigns (noted as "2026" in the specific report title provided, likely a forward-looking or mislabeled dating in the text) focused on high-value espionage. These campaigns are characterized by a refined infection chain that bypasses modern EDR solutions using sophisticated hijacking techniques to maintain a persistent presence within defense and technology networks.
## Tactics, Techniques & Procedures
* **AppDomainManager Hijacking:** Exploits the .NET framework's `AppDomainManager` class to load malicious DLLs into legitimate, signed processes.
* **DLL Side-Loading:** Utilizing trusted executables to load malicious payloads.
* **Persistence:** Establishing long-term access via registry run keys and scheduled tasks.
* **Credential Harvesting:** Use of custom tools to scrape browser data and system credentials.
* **Evasion:** Heavy obfuscation of payloads and the use of legitimate cloud services for C2 to blend in with normal traffic.
* **MITRE ATT&CK Mapping:**
* T1574.002: DLL Side-Loading
* T1574.013: AppDomainManager Hijacking
* T1059.005: Visual Basic
* T1071.001: Web Protocols (C2)
## Targeting
* **Sectors:** Technology, Defense, Aerospace, and Government entities.
* **Geography:** Primarily Israel, with secondary targets in Saudi Arabia, United Arab Emirates, and the United States.
* **Victims:** Major defense contractors and technology firms involved in regional security infrastructure.
## Tools & Infrastructure
* **Malware Families:**
* **Metasploit/Cobalt Strike:** Used for initial post-exploitation.
* **Sugar_RAT:** A custom Remote Access Trojan for data exfiltration and command execution.
* **Noodle_RAT:** A high-performance backdoor used for persistence.
* **Infrastructure:**
* **C2 Domains:** `dns-google[.]top`, `security-check[.]cloud`, `api-microsoft[.]net` (defanged).
* **IPs:** `194[.]165[.]16[.]x`, `45[.]150[.]67[.]x` (defanged).
* **Cloud Services:** Use of Google Drive and OneDrive for hosting payloads and staging data.
## Implications
Screening Serpens represents an evolving Iranian threat that has shifted from noisy, disruptive attacks to highly disciplined espionage. Their adoption of AppDomainManager hijacking suggests a prioritized effort to defeat signature-based and behavioral detection systems. The focus on defense and tech sectors suggests an objective of intellectual property theft and monitoring of regional military advancements.
## Mitigations
* **Monitor .NET Execution:** Implement strict monitoring for the creation of `AppDomainManager` objects, especially by unsigned or unexpected DLLs.
* **DLL Whitelisting:** Enforce Windows Defender Application Control (WDAC) or AppLocker to prevent unauthorized DLLs from loading.
* **Endpoint Hunting:** Search for unusual `.config` files residing in folders with legitimate signed executables, as these often facilitate the hijacking.
* **Network Defense:** Restrict outbound traffic to known cloud storage providers unless strictly required for business operations; inspect HTTPS traffic for unusual patterns to defanged C2 domains.