Iranian APT Screening Serpens Uses AppDomainManager Hijacking in Espionage Campaigns

Palo Alto Unit 42 reports that the Iranian APT group Screening Serpens is actively employing sophisticated techniques, including AppDomainManager hijacking and new Remote Access Trojan (RAT) variants, in recent espionage campaigns. This marks a significant escalation in their operational tradecraft, moving beyond typical phishing lures to more stealthy and persistent methods.

The primary targets for these campaigns are organizations within the technology and defense sectors. Screening Serpens’ focus on these critical industries indicates a strategic objective to acquire sensitive intellectual property and strategic intelligence, rather than financial gain. The use of AppDomainManager hijacking is particularly concerning as it allows for code execution within a trusted application domain, making detection challenging.

Defenders need to shift their focus from perimeter defenses to robust endpoint detection and response (EDR) capabilities, specifically looking for anomalous process behavior and unusual module loading. Standard antivirus will likely miss these advanced techniques. CISOs should prioritize threat hunting for these specific TTPs, especially within development environments and critical infrastructure segments.