Screening Serpens: Iranian APT Fuses AppDomainManager Hijacking with New RATs in 2026 Espionage Campaign

Palo Alto Networks Unit 42 (the threat intelligence research arm of Palo Alto Networks) has published detailed analysis of Screening Serpens, an Iran-nexus advanced persistent threat group, documenting a significant evolution in the group's 2026 espionage campaigns. For the first time, Screening Serpens has combined its established DLL sideloading techniques with AppDomainManager hijacking — a sophisticated .NET runtime abuse technique — and deployed two new Remote Access Trojan variants named MiniJunk and MiniUpdate against technology and defence sector targets in at least five countries.

// 01 Technical Details: AppDomainManager Hijacking

AppDomainManager hijacking is a technique that manipulates the initialisation phase of .NET applications (programs built with Microsoft's .NET framework) to inject malicious code before the application's own security mechanisms engage. Understanding why this is significant requires a brief explanation of .NET's AppDomain architecture.

In the .NET runtime, every application executes within an AppDomain — an isolation container that enforces security policies, handles exception propagation, and manages assembly loading. Before a .NET application begins executing its own code, the runtime checks for a configuration file that can specify a custom AppDomainManager — a class responsible for managing the AppDomain's lifecycle. If an attacker can place a malicious configuration file in the application's directory, they can substitute a malicious AppDomainManager, which the .NET runtime will load and execute with the same privileges as the target application, before the application's own code runs.

Screening Serpens exploits this mechanism with precision: the group delivers a legitimate .NET application (often impersonating a software updater or business tool) alongside a malicious .config file that specifies an attacker-controlled AppDomainManager assembly. When the victim runs the legitimate application, the .NET runtime loads the malicious AppDomainManager first, executing attacker code that disables the application's security controls before the application itself starts. This effectively strips the application's defences using the application's own runtime environment.

This technique is particularly effective because:

• It uses legitimate .NET runtime behaviour rather than exploiting a vulnerability
• The malicious configuration file is not an executable and may bypass file-type-based detection
• Code executed via AppDomainManager inherits the process trust level of the parent application
• Many endpoint security products do not alert on AppDomainManager loading events

// 02 MiniJunk and MiniUpdate: New RAT Variants

Unit 42 documented two new RAT families deployed by Screening Serpens in 2026 campaigns:

MiniJunk — A multi-functional RAT with capabilities including keylogging (recording all keystrokes typed on the victim system), screen capture, file enumeration and exfiltration, and interactive command execution. MiniJunk uses encrypted communications channels to its command-and-control (C2 — the attacker-controlled server infrastructure used to issue commands and receive stolen data from compromised systems) infrastructure, and implements anti-analysis techniques to hinder sandbox detonation and reverse engineering.

MiniUpdate — A smaller, modular implant designed to masquerade as a legitimate software update mechanism. MiniUpdate's primary role appears to be persistence and payload delivery: it maintains a connection to C2 infrastructure and downloads additional tools or updates to MiniJunk based on attacker commands. The naming convention ("Mini" + function descriptor) suggests the malware family may have additional variants not yet publicly identified.

Both RATs are deployed via the AppDomainManager hijacking chain after initial access is achieved through social engineering lures.

// 03 Social Engineering: Tailored Lures

Screening Serpens' initial access methodology has evolved significantly in 2026. The group now creates deeply personalised lures tailored to individual targets — a resource-intensive approach consistent with a state-directed intelligence collection operation. Documented lure types include:

• Fake job requisitions — crafted to match the target's professional background, impersonating recruiters from technology and defence companies. A software engineer with a public LinkedIn profile showing specialisation in a particular technology might receive a targeted fake job offer document that exploits their specific expertise as the pretext.
• Spoofed video conferencing invitations — impersonating Zoom, Microsoft Teams, or Google Meet meeting invitations, often purporting to be from professional contacts or conference organisers.

The personalisation of these lures — which requires prior OSINT (Open-Source Intelligence — gathering information about a target from publicly available sources such as LinkedIn, GitHub, and conference attendee lists) activity — indicates that Screening Serpens conducts significant reconnaissance before initiating attacks, consistent with a targeted intelligence collection mandate rather than opportunistic cybercrime.

// 04 Campaign Scope and Targets

Unit 42 identified Screening Serpens campaign activity targeting organisations in up to five countries across the technology and defence sectors. The group has increased its operational tempo since a regional conflict began in February 2026, a pattern consistent with Iranian APT groups escalating cyber espionage during periods of geopolitical tension.

The technology sector targeting likely focuses on intellectual property theft — source code, proprietary algorithms, product roadmaps, and customer data — while defence sector targeting aims at classified or sensitive programme information, personnel data, and military technology. Iranian APT groups have historically targeted aerospace, defence, nuclear, and telecommunications organisations as part of state intelligence priorities.

MITRE ATT&CK techniques observed in Screening Serpens 2026 campaigns include:

• T1574.014 — Hijack Execution Flow: AppDomainManager (the core novel technique)
• T1574.002 — DLL Side-Loading (established Screening Serpens technique)
• T1566.001 — Spearphishing Attachment (initial access via crafted documents)
• T1056.001 — Keylogging (MiniJunk capability)

// 05 Who Is Affected

Technology and defence sector organisations across Western and Middle Eastern countries are the primary targets based on Unit 42's analysis. Organisations with the following characteristics face elevated risk:

• Technology companies with significant R&D programmes or government contracts
• Defence contractors and aerospace companies
• Organisations with prominent public-facing employee profiles on LinkedIn and GitHub (higher OSINT exposure)
• Companies involved in the regional conflict context from February 2026 onward

// 06 What You Should Do Right Now

• Implement AppDomainManager detection — configure your EDR (Endpoint Detection and Response platform) or SIEM (Security Information and Event Management — centralised log analysis and alerting system) to alert on .NET application configuration file creation events, particularly .config files containing appDomainManagerAssembly or appDomainManagerType entries.
• Detect DLL sideloading patterns — alert on signed binaries loading unsigned DLLs from user-writable directories. Most legitimate applications load their dependencies from System32 or signed installation directories; sideloading typically occurs from the application's own directory with an unexpected DLL.
• Restrict execution of .NET applications from user-accessible directories — use application control policies to prevent .NET assembly execution from Downloads, Temp, and other user-profile directories.
• Conduct LinkedIn OSINT awareness training — brief employees in technology and defence roles that their public profiles are research sources for targeted phishing campaigns. Restricting profile visibility or using privacy settings reduces attacker reconnaissance surface.
• Verify software update processes — MiniUpdate masquerades as a software updater. Verify that all software update binaries in your environment are properly signed by their vendor and that update processes are launched only from known-good, integrity-verified paths.
• Hunt for MiniJunk and MiniUpdate IOCs — Unit 42's full report contains file hashes, network IOCs, and behavioural indicators. Import these into your threat intelligence platform and cross-reference against historical endpoint telemetry.

// 07 Background: Understanding the Risk

Iran's cyber espionage ecosystem has expanded significantly in the past three years, with multiple APT groups — tracked by different vendors as Charming Kitten, APT42, Mint Sandstorm, Peach Sandstorm, and numerous Serpens-designated groups — conducting persistent campaigns against Western and allied government, technology, and defence targets. Screening Serpens is one of the more technically sophisticated groups in this ecosystem, demonstrated by its adoption of the AppDomainManager hijacking technique.

AppDomainManager hijacking was first documented as an offensive technique by security researchers in 2022 and has since been incorporated into the tradecraft of multiple APT groups. Its adoption by Screening Serpens represents the continued operationalisation of research-level offensive techniques into state-sponsored campaigns — a trend that significantly compresses the window between technique discovery and deployment.

Unit 42 notes that "as of April 2026, Screening Serpens activity shows no signs of slowing down and has continued to orchestrate sustained, adaptive global cyber campaigns." The group's consistent adaptation — adopting new techniques while maintaining established tooling, and personalising lures with operational research — is indicative of a professionally managed intelligence collection operation, not opportunistic hackers.

For defenders in technology and defence sectors: the combination of precise targeting, novel execution techniques, and social engineering that matches individual employees' professional contexts means that perimeter-focused defences alone are insufficient. Behavioural detection on endpoints, user awareness of targeted social engineering, and threat intelligence sharing with peers in the sector are essential components of an effective defensive posture against Screening Serpens.

// 08 Conclusion

Screening Serpens is escalating in 2026, combining AppDomainManager hijacking with DLL sideloading to deliver MiniJunk and MiniUpdate RATs against technology and defence sector targets. Technology and defence organisations should implement AppDomainManager detection rules, restrict .NET execution from user directories, and review Unit 42's full threat brief for current indicators of compromise.