A never-before-seen threat activity cluster codenamed UNK_SmudgedSerpent is believed to be behind a series of cyberattacks targeting academics and foreign policy professionals from June to August 2025, coinciding with heightened geopolitical tensions between Iran and Israel.
“UNK_SmudgedSerpent took advantage of domestic political temptations, including investigations into social change in Iran and the militarization of the Islamic Revolutionary Guards Corps (IRGC),” Proofpoint security researcher Sahel Nauman said in a new report shared with Hacker News.
The enterprise security firm said the campaign is tactically similar to previous attacks launched by Iranian cyber espionage groups such as TA455 (aka Smoke Sandstorm or UNC1549), TA453 (aka Mint Sandstorm or Charming Kitten), and TA450 (aka Muddy Water or Mango Sandstorm).
This email message has all the hallmarks of a classic Charming Kitten attack, where the attacker misleads potential targets with a benign conversation before attempting to phish their credentials.
In some cases, emails have been found to contain malicious URLs that trick victims into downloading MSI installers. MSI installers end up deploying legitimate remote monitoring and management (RMM) software, such as PDQ Connect, while masquerading as Microsoft Teams. This is a tactic often employed by MuddyWater.
Proofpoint said the digital archives impersonated prominent U.S. foreign policy officials associated with think tanks such as the Brookings Institution and the Washington Institute, giving the appearance of legitimacy and increasing the attack’s chances of success.
The effort targets more than 20 experts from a U.S.-based think tank focused on policy issues related to Iran. In at least one case, upon receiving a response, the attacker allegedly insisted on verifying the target’s identity and email address authenticity before cooperating further.
“We are contacting you to confirm that your recent email expressing your interest in our research project is indeed from you,” the email said. “The message was received from an address that we believe is not your primary email, so we wanted to verify its authenticity before proceeding.”
The attacker then sent a link to a specific document that they claimed would be discussed at an upcoming meeting. However, once the link is clicked, victims are directed to a fake landing page designed to collect Microsoft account credentials.
In another variant of the infection chain, the URL is the Microsoft Teams login page.[今すぐ参加]Imitate a button. However, the subsequent stages that become active after clicking the expected conference button are unknown at this stage.
Proofpoint noted that after the target “expressed their suspicions,” the attackers removed the password requirement on the credential capture page and instead directed them directly to a fake OnlyOffice login page hosted at “thebesthomehealth.”[.]Com. ”
“UNK_SmudgedSerpent’s references to OnlyOffice URLs and health-themed domains are reminiscent of TA455’s activity,” Naumaan said. “TA455 has started registering health-related domains since at least October 2024, following a consistent flow of aerospace-related domains, and as recently as June 2025, OnlyOffice became common for hosting files.”
Hosted on the fake OnlyOffice site is a ZIP archive containing an MSI installer that launches PDQ Connect. Other documents have been assessed as decoys, according to the company.
There is evidence to suggest that UNK_SmudgedSerpent has engaged in activities that may involve keyboard manipulation to install additional RMM tools such as ISL Online via PDQ Connect. It is unclear why two different RMM programs are deployed sequentially.
Other phishing emails sent by this threat actor targeted academics residing in the United States seeking assistance with an investigation by the Revolutionary Guards, and another individual was targeted in early August 2025, seeking potential cooperation in researching “Iran’s growing role in Latin America and its implications for U.S. policy.”
“This campaign is consistent with Iranian intelligence gathering and focuses on Western policy analysis, academic research, and strategic technology,” Proofpoint said. “This operation signals an evolution in cooperation between Iran’s intelligence services and cyber forces and signals a shift in Iran’s espionage ecosystem.”
Source link
