Iranian APT Screening Serpens Uses AppDomainManager Hijacking in 2026 Espionage Campaigns

Unit 42 published detailed tracking of Screening Serpens, an Iran-linked APT actively targeting technology and defense sector organizations in 2026. The group employs AppDomainManager hijacking — abusing .NET’s application domain configuration to load attacker-controlled DLLs without dropping obvious malware — alongside new remote access trojan variants. The combination of a living-off-the-land technique with custom tooling complicates detection. Defenders in tech and defense verticals should review .NET AppDomainManager configurations and monitor for unexpected DLL loading.