An Iran-linked cyber-espionage group tracked as Screening Serpens, also known as UNC1549, Nimbus Manticore and Smoke Sandstorm, is deploying newly identified remote access Trojans (RATs) in highly tailored spear-phishing operations against high-value targets in the U.S., Israel, the United Arab Emirates and other Middle Eastern countries, according to research from Palo Alto Networks’ Unit 42 reported by Cybersecurity Dive[2].
Unit 42 has documented six new RATs grouped into two malware families, including one dubbed MiniJunk V2, which the group has used in espionage campaigns against “high-value sectors” such as aerospace, defense and telecommunications[2]. In February and March, MiniJunk V2 was observed in attacks that targeted an IT professional in the Middle East, following months of reconnaissance in which the operators monitored the victim’s job-hunting activity and then sent a bespoke lure containing a spoofed recruitment link that mimicked a well-known employment site[2].
A second malware family, referred to as MiniUpdate, surfaced in late March campaigns aimed at U.S. and Israeli organizations, followed by a mid-April wave that appeared to target entities in the UAE and at least one other Middle Eastern country[2]. In these operations, Screening Serpens masqueraded as a major aviation company in spear-phishing emails sent to U.S. targets, while in the Middle East the actors impersonated a healthcare organization and then a financial-services firm to entice recipients to execute the payloads[2].
Researchers describe the hallmarks of the recent campaigns as “deep personalization” and sophisticated social engineering, with lures crafted as fake job requisitions and spoofed video conferencing invitations designed to align with the victim’s role and interests[2]. By relying on highly convincing pretexts rather than exploiting specific software vulnerabilities, the operators increase the likelihood that targets will initiate the infection chain themselves, enabling the RATs to establish persistent remote access and conduct espionage without immediately triggering technical alarms[2].
The activity fits a broader pattern of Iranian state-aligned cyber operations that emphasize long-term access and strategic prepositioning. In a separate case, Fortinet’s FortiGuard Incident Response team detailed how an unnamed Iranian state-sponsored group maintained access for nearly two years to a Middle Eastern critical national infrastructure organization, using stolen VPN credentials, web shells and multiple backdoors to support extensive espionage and potential future disruption[1]. U.S. policymakers and analysts have also warned that Iranian operators are probing and, in some cases, compromising critical infrastructure in the United States, including fuel distribution systems, as part of a sustained campaign to pressure Washington and its allies[4].
Unit 42 assesses that Screening Serpens has “increased its operations” since the onset of the recent U.S.-Israeli conflict and continues to run “sustained, adaptive global cyber campaigns,” warning that organizations should expect further attempts in the near term[2]. For defenders in aerospace, defense, telecommunications and other targeted sectors, the findings underscore the need to harden email and identity systems, scrutinize unsolicited recruitment and meeting invitations, and ensure endpoint and network monitoring can detect unfamiliar RAT families like MiniJunk V2 and MiniUpdate before they become entrenched[2].
