Iranian government-backed hackers are using spear-phishing attacks and remote access Trojans (RATs) to spy on “high-value sectors” in the U.S. and the Middle East as part of Tehran’s response to the U.S.-Israeli war, according to Palo Alto Networks.
The company’s Unit 42 researchers recently discovered six new RATs that an Iran-linked group the researchers call Screening Serpens has used for espionage purposes. The group “has increased its operations” since the war began, the researchers said, and malware metadata suggests that it has attacked “targets across the U.S., Israel and the [United Arab Emirates] as well as two additional Middle Eastern entities.”
Screening Serpens — which other researchers call UNC1549, Smoke Sandstorm and Nimbus Manticore — has “consistently set its sights on high-value sectors,” Palo Alto Networks said, especially in the aerospace, defense and telecommunications industries.
“A defining characteristic of these recent campaigns is the deep personalization of the attackers’ lures,” researchers wrote. “By leveraging tailored social engineering tactics, including fake job requisitions and spoofed video conferencing meeting invitations, the attackers lure victims into initiating the infection chain, thereby exposing their organizations to further exploitation.”
The new report is the latest evidence that Iran is seeking to maximize its use of cyberspace to fight back against the U.S. and its allies as the war drags into its fourth month. Hacking groups linked to Tehran previously have been spotted attacking Middle Eastern city governments and U.S. infrastructure operators.
Malware paired with diligent planning
The six new RATs were part of two malware families. The first, MiniUpdate, surfaced in two campaigns in late March that targeted U.S. and Israeli organizations, followed by a mid-April campaign that appears to have targeted organizations in the UAE and possibly a second Middle Eastern country. According to Palo Alto Networks’ report, the U.S. campaign involved customized spear-phishing lures in which the hackers impersonated a major aviation company, while, in the Middle Eastern attacks, the hackers first impersonated a health-care organization and then impersonated a financial-services firm.
In February and March, researchers detected attacks involving RATs belonging to a second malware family, MiniJunk V2. The February attacks targeted an IT professional working in the Middle East and involved months of planning and research, with malware development beginning in late 2025 as the hackers studied the target’s attempts to find a new job.
“The threat actor conducted careful reconnaissance, exploiting the target’s active job-hunting footprint to engineer a customized lure,” Palo Alto Networks said. “To establish legitimacy and coerce the target to execute their payload, the attackers shared a spoofed recruitment URL from a legitimate, well-known employment website.”
Screening Serpens “has continued to orchestrate sustained, adaptive global cyber campaigns” as of April, according the report. “Organizations may expect further attempts in the near term and should harden their defensive posture to prepare for potential compromise attempts.”
