Screening Serpens is an Iran-nexus cyberespionage threat actor active since at least 2022 and tracked by multiple vendors as UNC1549, Smoke Sandstorm, and Iranian Dream Job. The group is assessed to operate in support of Iranian intelligence objectives and focuses on long-term clandestine access for intelligence collection rather than disruptive or destructive operations. The actor has targeted organizations and professionals in aerospace, defense, technology, telecommunications, satellite communications, research and development, and defense logistics. Reported victim geography includes the United States, Israel, the United Arab Emirates, other Middle Eastern countries, and parts of Western Europe including the United Kingdom, France, and Germany. Its operations commonly center on high-value personnel and enterprises likely to hold strategic, technical, or defense-related information. Screening Serpens is particularly associated with highly tailored social engineering, especially recruitment-themed lures and fake meeting or conferencing invitations. This tradecraft aligns with the broader “Dream Job” style of targeting, in which prospective employment opportunities are used to induce execution of malicious files. The group has repeatedly impersonated trusted brands and professional workflows to increase plausibility and reduce suspicion. Observed intrusion chains rely on user execution followed by DLL sideloading through legitimate signed applications, allowing malicious modules to run under the cover of trusted binaries. A notable evolution in the group’s tradecraft is the use of AppDomainManager hijacking in .NET applications via modified configuration files so malicious code executes very early in application startup. This technique has been used to weaken native protections, including security telemetry and strong-name validation controls, before the host application fully initializes. Persistence has been established through mechanisms including Registry Run Keys and scheduled tasks. The group has deployed multiple remote access trojan variants across malware clusters reported under names including MiniBike and MiniBus, as well as MiniUpdate and MiniJunk V2. Across these families, analysts have observed rapid variant turnover, limited but deliberate code changes to frustrate signature-based detection, heavy obfuscation in some samples, and rotating cloud-hosted command-and-control infrastructure. Capabilities attributed to these implants include command execution, process control, DLL loading, file collection, and staged or chunked exfiltration of sensitive documents and internal communications. A recurring operational characteristic is the use of HTTPS command-and-control over cloud infrastructure, particularly services hosted on Microsoft Azure, which can blend with legitimate enterprise traffic and complicate network-based detection. Behavioral patterns repeatedly associated with the actor include spearphishing-driven initial access, trusted binary proxy execution through DLL sideloading, .NET configuration abuse for early-stage code execution, stealthy persistence, and sustained espionage-oriented data theft. Known aliases include UNC1549, Smoke Sandstorm, and Iranian Dream Job.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
Attributed origin per open-source reporting.
36 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 malware families attributed to this actor across reporting.
18 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Iran-linked cyber-espionage group active since at least 2022, targeting aerospace, defense, technology, R&D, satellite communications, and defense logistics organizations via Dream Job-style spear-phishing to gain long-term covert access for intelligence collection.
Iran-linked cyberespionage group conducting spear-phishing and social-engineering campaigns using fake job listings and spoofed meeting invitations to target aerospace, defense manufacturing, and telecommunications organizations. In 2026 it deployed MiniUpdate and MiniJunk V2 RAT variants and used AppDomainManager hijacking, ETW disabling, strong-name signature validation bypass, DLL sideloading, scheduled-task persistence, and Azure-hosted C2 infrastructure.
Iran-linked espionage activity targeting the U.S., Israel, the UAE, and other Middle Eastern countries using multiple cyberespionage techniques.
Cyber espionage campaign active from mid-February through April 2026 targeting multiple nations, especially strategic targets. The group uses tailored recruitment-themed social engineering lures, fake job requisitions, and spoofed video conferencing invitations to gain initial access, then combines DLL sideloading with AppDomain Manager hijacking to deploy remote access trojans and exfiltrate sensitive data.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.