Iran-linked hackers target key US, allied sectors with sophisticated spear-phishing messages
Iranian government-backed hackers are using spear-phishing attacks and remote access Trojans (RATs) to spy on high-value sectors in the US and the Middle East as part of Tehran’s response to the US-Israeli war, according to Palo Alto Networks.
The company’s Unit 42 researchers recently discovered six new RATs that an Iran-linked group the researchers call Screening Serpens has used for espionage purposes. The group “has increased its operations” since the war began, the researchers said, and malware metadata suggests that it has attacked “targets across the US, Israel and the [United Arab Emirates] as well as two additional Middle Eastern entities.”
Screening Serpens – which other researchers call UNC1549, Smoke Sandstorm and Nimbus Manticore – has “consistently set its sights on high-value sectors,” Palo Alto Networks said, especially in the aerospace, defence and telecommunications industries.
“A defining characteristic of these recent campaigns is the deep personalisation of the attackers’ lures,” researchers wrote. “By leveraging tailored social engineering tactics, including fake job requisitions and spoofed video conferencing meeting invitations, the attackers lure victims into initiating the infection chain, thereby exposing their organisations to further exploitation.”
The new report is the latest evidence that Iran is seeking to maximise its use of cyberspace to fight back against the US and its allies as the war drags into its fourth month. Hacking groups linked to Tehran previously have been spotted attacking Middle Eastern city governments and US infrastructure operators.
Malware paired with diligent planning
The six new RATs were part of two malware families. The first, MiniUpdate, surfaced in two campaigns in late March that targeted US and Israeli organisations, followed by a mid-April campaign that appears to have targeted organisations in the UAE and possibly a second Middle Eastern country. According to Palo Alto Networks’ report, the US campaign involved customised spear-phishing lures in which the hackers impersonated a major aviation company, while, in the Middle Eastern attacks, the hackers first impersonated a healthcare organisation and then impersonated a financial services firm.
In February and March, researchers detected attacks involving RATs belonging to a second malware family, MiniJunk V2. The February attacks targeted an IT professional working in the Middle East and involved months of planning and research, with malware development beginning in late 2025 as the hackers studied the target’s attempts to find a new job.
“The threat actor conducted careful reconnaissance, exploiting the target’s active job-hunting footprint to engineer a customised lure,” Palo Alto Networks said. “To establish legitimacy and coerce the target to execute their payload, the attackers shared a spoofed recruitment URL from a legitimate, well-known employment website.”
Screening Serpens “has continued to orchestrate sustained, adaptive global cyber campaigns” as of April, according the report. “Organisations may expect further attempts in the near term and should harden their defensive posture to prepare for potential compromise attempts.”
Cybersecurity Dive
Subscribers 0
Fans 0
Followers 0
Followers