Blog
Cloud Security
Cortex Cloud Security Research

Cortex Cloud Security Research

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit 42 researchers have observed evidence of cyberattacks by the Iran-nexus advanced persistent threat (APT) group Screening Serpens (aka UNC1549, Smoke Sandstorm and Iranian Dream Job). Based on our visibility, we believe that the group targeted entities in the U.S., Israel and the United Arab Emirates, and likely two additional Middle Eastern entities.

Malware

Threat Actor Groups

Advanced Persistent Threat

AppDomainManager

DLL Sideloading

Iran

MiniJunk

MiniUpdate

operation security

RATs

May 22, 2026

By Unit 42

Cloud Cybersecurity Research, Threat Research, Curious Serpens, Entra ID, Microsoft Azure, Microsoft graph API, Midnight Blizzard, MITRE, ROADtools, UTA0355

Paved With Intent: ROADtools and Nation-State Tactics in the Cloud

ROADtools is a publicly available toolkit for offensive and...

May 22, 2026

By Bill Batchelor, Eyal Rafian

Cloud Cybersecurity Research, Threat Research, AI, Cloud, data exfiltration, GCP, Google Cloud, LLMs, multi-agent, penetration testing

Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensiv...

The offensive capabilities of large language models (LLMs) have until recently existed as...

Apr 23, 2026

By Yahav Festinger, Chen Doytshman

Malware, Threat Actor Groups, CL-STA-1048, CL-STA-1049, Stately Taurus, Trojan

Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asi...

We uncovered a High severity security vulnerability CVE-2026-0628 in Google's implementation of the new Gemini feature in Chrome. This vulnerability a...

Mar 26, 2026

By Doel Santos, Hiroaki Hara

Cloud Cybersecurity Research, Threat Research, Google, google authenticator, Google Chrome, identity, passkey, passwordless

Google Cloud Authenticator: The Hidden Mechanisms of Passwordless Authentic...

Passwordless authentication is often presented as the end of account takeover. But to unde...

Mar 23, 2026

By Arie Olshtein

Cybercrime, Nation-State Cyberattacks, Threat Actor Groups, Threat Research, Advanced Persistent Threat, Boggy Serpens, C2, LampoRAT, malware, MuddyWater

Boggy Serpens Threat Assessment

We have been tracking ongoing cyberespionage campaigns by the threat group Boggy Serpens, also known as MuddyWater. Attr...

Mar 16, 2026

By Unit 42

Cybercrime, Threat Actor Groups, Muddled Libra, PowerShell, Scattered Spider, UNC3944, virtual machines

A Peek Into Muddled Libra’s Operational Playbook

Feb 10, 2026

By Justin De Luna, Noah Rincon, Cuong Dinh

Cloud Cybersecurity Research, Threat Research, API, IAM, MITRE, Muddled Libra, Silk Typhoon

Novel Technique to Detect Cloud Threat Actor Operations

Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The...

Feb 06, 2026

By Nathaniel Quist

Nation-State Cyberattacks, Threat Actor Groups, Espionage, Government, phishing, TGR-STA-1030

The Shadow Campaigns: Uncovering Global Espionage

This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. W...

Feb 05, 2026

By Unit 42

Cloud Cybersecurity Research, DNS, Threat Research, Microsoft Azure, networking

DNS OverDoS: Are Private Endpoints Too Private?

We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentio...

Jan 20, 2026

By Golan Myers

Ransomware, Threat Actor Groups, Threat Research, ESXi, Jolly Scorpius, RansomHouse

From Linear to Complex: An Upgrade in RansomHouse Encryption

Unit 42 uncovered the previously unseen KSwapDoor. This Linux backdoor was initially mistaken for BPFDoor.

Dec 17, 2025

By Anmol Maurya, Jingwen Shi

Malware, Threat Actor Groups, Ashen Lepus, Espionage, WIRTE

Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities Wit...

In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speakin...

Dec 11, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, control plane, Curious Serpens, data plane, logging, Microsoft Azure, pentest tool

Cloud Discovery With AzureHound

AzureHound is a data collection tool intended for penetration testing that is part of the BloodHound suite. Threat actors misuse this tool to enumerat...

Oct 24, 2025

By Margaret Kelley, Bill Batchelor, Eyal Rafian

Cloud Cybersecurity Research, Cybercrime, Threat Research, CL‑CRI‑1032, Microsoft, phishing, smishing

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign

Unit 42 stopped monitoring this threat and updating the brief on Sept. 18, 2025. Please refer to the Microsoft SharePoin...

Oct 22, 2025

By Stav Setty, Shachar Roitman

Hospitality Hacks and Retail Reality Checks, Insights, Threat Actor Groups, Bling Libra, Extortion, Lapsus$, Muddled Libra, Retail, Scattered Spider, ShinyHunters

The Golden Scale: Bling Libra and the Evolving Extortion Economy

Oct 10, 2025

By Matt Brady

Cloud Cybersecurity Research, General, Insights, Cloud Infrastructure Protection, Cloud Security, Unit 42 Incident Response Report

Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 G...

Cloud incidents like ransomware attacks and account compromise can bring operations to a h...

Oct 07, 2025

By Margaret Kelley

Malware, Threat Actor Groups, China, CL-STA-0043, Phantom Taurus, TGR-STA-0043

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR M...

Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests....

Sep 30, 2025

By Lior Rochberger

Get the latest news, invites to events, and threat alerts

By submitting this form, I understand my personal data will be processed in accordance with Palo Alto Networks Privacy Statement and Terms of Use.