Unit 42 Shows How Iranian Hackers Hide Behind Job Postings

In modern warfare, a large part of the fighting is done away from the battlefield. Cyberspace is now a frontier of war, alongside land, sea, air and space.

This is certainly the case for the unfolding conflict in the Middle East. Researchers have uncovered an Iranian advanced persistent threat (APT) group in action targeting organisations across the US, Israel and UAE.

Palo Alto Networks’ Unit 42 stumbled upon a sophisticated cyber espionage campaign linked to Screening Serpens – who also go by aliases such as Smoke Sandstorm, Iranian Dream Job and UNC1549.

The latest findings from Unit 42 points to the threat group deploying six new remote access Trojan (RAT) variants deployed between February and April 2026.

Researchers believe additional entities across the Middle East may also have been affected.

The increasing attacker complexity is cause for concern, as the Unit 42 team spots a significant evolution in cyber warfare tactics, particularly through the use of AppDomainManager hijacking. 

Using this mechanism, by manipulating .NET applications to disable its own security mechanism during start-up the deployed malware can execute freely.

“As APT groups like Screening Serpens continue to evolve and leverage advanced frontier AI technologies, legacy endpoint security solutions are no longer enough,” says Elad Koren, VP of Product Management at Palo Alto Networks.

“Modern organisations now require defensive postures that transition toward multi-layered, behavioural-based strategies that look beyond simple file signatures.

“By focusing on identifying inherently anomalous behaviours at the point of installation, in this case AppDomain Hijacking or the disabling of system telemetry, defenders can effectively intercept sophisticated attack chains before they take root. 

“Monitoring application logic and behaviour is now foundational to proactive threat prevention.”

Sophisticated recruitment lures target tech pros

Borrowing a highly successful page from the North Korean playbook, researchers found that Screening Serpens relied heavily on personalised phishing attacks which came disguised as legitimate recruitment opportunities. 

Fake hiring portals, spoofed employment websites and tailored job descriptions worked in combination to trick technology and engineering professionals to download malicious files.

In one of the campaigns, attackers impersonated a global airline and distributed fake job applications containing malware-laden ZIP files. 

Another one relied on fraudulent recruitment links designed to perfection, to resemble trusted employment platforms. 

The extent of personalisation within these tactics tells the story of extensive reconnaissance that attackers carried out on intended victims before launching the attacks.

Malware families identified in the Unit 42 report are named MiniUpdate – a newly discovered family – and MiniJunk V2 – an evolved iteration of MiniJunk. 

Crafted to establish persistence on infected systems, these payloads steal sensitive data and allow attackers to remotely execute commands on infected devices.

The campaigns made use of Azure-hosted command-and-control infrastructure, helping malicious traffic blend in with legitimate cloud activity.

Security researchers noted that the threat actors demonstrated a continuous cycle of malware development and deployment throughout the conflict period, adapting techniques and rotating infrastructure to improve resilience and reduce detection rates.

Behavioural threat detection becomes critical

The report from Palo Alto Networks is a glowing warning that conventional antivirus and signature-based detection systems are struggling to keep pace with increasingly adaptive state-sponsored cyber threats. 

Instead of relying solely on known malware indicators, experts are urging organisations to strengthen behavioural monitoring capabilities that can identify suspicious activity patterns in real time.

Unit 42 researchers specifically recommended increased monitoring for DLL sideloading and AppDomainManager hijacking techniques, both of which played a central role in the recent campaigns. 

It is important to note, that by exploiting trusted applications and legitimate configuration files, attackers were able to bypass many traditional security controls – literally overriding device security mechanisms in this campaign.  

The Unit 42 warning is clear. Screening Serpens activity is showing no sign of slowing down, as the group maintains a high operational tempo throughout March and April 2026. 

Researchers believe further attacks targeting technology, defence and telecommunications sectors are likely in the near future.

As geopolitical tensions stir up and it spill into cyber warfare, these findings serve as yet another reminder that cyber espionage campaigns are becoming more advanced, more targeted and increasingly difficult to detect without proactive, behaviour-driven security strategies.