Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

    Tuesday, May 26, 2026 In: Threat Research Print

    Date: 05/26/2026

    Severity: High

    Summary

    An Iran-linked APT group known as Screening Serpens conducted targeted cyberespionage campaigns against organizations in the U.S., Israel, the UAE, and other Middle Eastern regions during early 2026. The group relied on tailored social engineering and recruitment-themed lures to infect technology sector professionals, deploying multiple newly developed RAT variants across coordinated operations. The campaigns demonstrated increased sophistication, including the use of AppDomainManager hijacking to disable application security mechanisms and enable stealthy, persistent access for espionage activities.

    Indicators of Compromise (IOC) List

    Domains/URLs

    licencemanagers.azurewebsites.net

    LicenceSupporting.azurewebsites.net

    PeerDistSvcManagers.azurewebsites.net

    ThemesManagers.azurewebsites.net

    ThemesProviderManagers.azurewebsites.net

    docspace-y4cumb.onlyoffice.com

    NanoMatrix.azurewebsites.net

    QuantumWeave.azurewebsites.net

    ElementShift.azurewebsites.net

    business-startup.org

    business-startup.azurewebsites.net

    Businessstartup.azurewebsites.net

    app[redacted].live

    buisness-centeral.azurewebsites.net

    buisness-centeral-transportation.azurewebsites.net

    Buisness-centeral-transportation.com

    docspace-twpf0e.onlyoffice.com

    PremierHealthAdvisory.com

    PremierHealthAdvisory.azurewebsites.net

    Premier-HealthAdvisory.azurewebsites.net

    Ramiltonsfinance.com

    Ramiltonsfinance.azurewebsites.neti

    Ramiltons-finance.azurewebsites.net

    https://docspace-y4cumb.onlyoffice.com/storage/files/root/folder_3602000/file_3601577/v1/content.zip

    https://app[redacted].live/meeting/edcdba624ddb43c2a1dcf334aa493068

    https://docspace-twpf0e.onlyoffice.com/storage/files/root/folder_3765000/file_3764519/v1/content.zip?filename=remote.zip

    https://2117.filemail.com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm

    Hash

    44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250

    332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17

    0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864

    38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d

    d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2

    bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad

    74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27

    bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad

    9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84

    B19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4

    8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b

    43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa

    9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "LicenceSupporting.azurewebsites.net" or url like "LicenceSupporting.azurewebsites.net" or siteurl like "LicenceSupporting.azurewebsites.net" or domainname like "Premier-HealthAdvisory.azurewebsites.net" or url like "Premier-HealthAdvisory.azurewebsites.net" or siteurl like "Premier-HealthAdvisory.azurewebsites.net" or domainname like "PeerDistSvcManagers.azurewebsites.net" or url like "PeerDistSvcManagers.azurewebsites.net" or siteurl like "PeerDistSvcManagers.azurewebsites.net" or domainname like "ThemesProviderManagers.azurewebsites.net" or url like "ThemesProviderManagers.azurewebsites.net" or siteurl like "ThemesProviderManagers.azurewebsites.net" or domainname like "Businessstartup.azurewebsites.net" or url like "Businessstartup.azurewebsites.net" or siteurl like "Businessstartup.azurewebsites.net" or domainname like "https://docspace-twpf0e.onlyoffice.com/storage/files/root/folder_3765000/file_3764519/v1/content.zip?filename=remote.zip" or url like "https://docspace-twpf0e.onlyoffice.com/storage/files/root/folder_3765000/file_3764519/v1/content.zip?filename=remote.zip" or siteurl like "https://docspace-twpf0e.onlyoffice.com/storage/files/root/folder_3765000/file_3764519/v1/content.zip?filename=remote.zip" or domainname like "ElementShift.azurewebsites.net" or url like "ElementShift.azurewebsites.net" or siteurl like "ElementShift.azurewebsites.net" or domainname like "docspace-y4cumb.onlyoffice.com" or url like "docspace-y4cumb.onlyoffice.com" or siteurl like "docspace-y4cumb.onlyoffice.com" or domainname like "ThemesManagers.azurewebsites.net" or url like "ThemesManagers.azurewebsites.net" or siteurl like "ThemesManagers.azurewebsites.net" or domainname like "docspace-twpf0e.onlyoffice.com" or url like "docspace-twpf0e.onlyoffice.com" or siteurl like "docspace-twpf0e.onlyoffice.com" or domainname like "business-startup.azurewebsites.net" or url like "business-startup.azurewebsites.net" or siteurl like "business-startup.azurewebsites.net" or domainname like "Ramiltonsfinance.com" or url like "Ramiltonsfinance.com" or siteurl like "Ramiltonsfinance.com" or domainname like "https://docspace-y4cumb.onlyoffice.com/storage/files/root/folder_3602000/file_3601577/v1/content.zip" or url like "https://docspace-y4cumb.onlyoffice.com/storage/files/root/folder_3602000/file_3601577/v1/content.zip" or siteurl like "https://docspace-y4cumb.onlyoffice.com/storage/files/root/folder_3602000/file_3601577/v1/content.zip" or domainname like "business-startup.org" or url like "business-startup.org" or siteurl like "business-startup.org" or domainname like "NanoMatrix.azurewebsites.net" or url like "NanoMatrix.azurewebsites.net" or siteurl like "NanoMatrix.azurewebsites.net" or domainname like "buisness-centeral.azurewebsites.net" or url like "buisness-centeral.azurewebsites.net" or siteurl like "buisness-centeral.azurewebsites.net" or domainname like "QuantumWeave.azurewebsites.net" or url like "QuantumWeave.azurewebsites.net" or siteurl like "QuantumWeave.azurewebsites.net" or domainname like "Buisness-centeral-transportation.com" or url like "Buisness-centeral-transportation.com" or siteurl like "Buisness-centeral-transportation.com" or domainname like "Ramiltons-finance.azurewebsites.net" or url like "Ramiltons-finance.azurewebsites.net" or siteurl like "Ramiltons-finance.azurewebsites.net" or domainname like "PremierHealthAdvisory.com" or url like "PremierHealthAdvisory.com" or siteurl like "PremierHealthAdvisory.com" or domainname like "licencemanagers.azurewebsites.net" or url like "licencemanagers.azurewebsites.net" or siteurl like "licencemanagers.azurewebsites.net" or domainname like "buisness-centeral-transportation.azurewebsites.net" or siteurl like "buisness-centeral-transportation.azurewebsites.net" or url like "buisness-centeral-transportation.azurewebsites.net" or domainname like "PremierHealthAdvisory.azurewebsites.net" or siteurl like "PremierHealthAdvisory.azurewebsites.net" or url like "PremierHealthAdvisory.azurewebsites.net" or domainname like "Ramiltonsfinance.azurewebsites.neti" or siteurl like "Ramiltonsfinance.azurewebsites.neti" or url like "Ramiltonsfinance.azurewebsites.neti" or domainname like "https://app.live/meeting/edcdba624ddb43c2a1dcf334aa493068" or siteurl like "https://app.live/meeting/edcdba624ddb43c2a1dcf334aa493068" or url like "https://app.live/meeting/edcdba624ddb43c2a1dcf334aa493068" or domainname like "https://2117.filemail.com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm" or siteurl like "https://2117.filemail.com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm" or url like "https://2117.filemail.com/api/file/get?filekey=T0EnWQ6NugHkW_kLfDxPBEw_um6NSkg9ZwNRQ_5lrKrLLUo35pV8m3TKv1LqF3zZzdUm"

    Detection Query 2 :

    sha256hash IN ("38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d","bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad","8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b","332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17","74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27","44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250","9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84","B19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4","d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2","0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864","9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1","43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa")

    Reference:    

    https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/                    


    Tags

    Threat ActorMalwareAPTIranCyber EspionageUnited StatesIsraelUAEThe Middle EastSocial EngineeringInformation TechnologyRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.