A never-before-seen threat activity cluster, codenamed UNK_SmudgedSerpent, launched a series of cyberattacks targeting academics and foreign policy experts between June and August 2025. These attacks unfolded amid escalating geopolitical tensions between Iran and Israel, highlighting a surge in cyber espionage activity tied to regional conflict.
“UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the militarization of the Islamic Revolutionary Guard Corps (IRGC),” Proofpoint security researcher Saher Naumaan said in a new report shared with The Hacker News.
Furthermore, the enterprise security company explained that the campaign shares tactical similarities with earlier attacks conducted by Iranian cyber espionage groups such as TA455 (also known as Smoke Sandstorm or UNC1549), TA453 (Charming Kitten or Mint Sandstorm), and TA450 (Mango Sandstorm or MuddyWater).
The email messages display all the hallmarks of a classic Charming Kitten attack. The threat actors first engaged prospective victims in seemingly harmless conversations and then attempted to phish their credentials once trust was established.
In several cases, the attackers inserted malicious URLs into their emails to deceive recipients into downloading an MSI installer disguised as Microsoft Teams. However, the installer deployed legitimate Remote Monitoring and Management (RMM) software such as PDQ Connect, a tactic frequently used by MuddyWater.
Moreover, Proofpoint revealed that these digital messages impersonated prominent U.S. foreign policy figures associated with respected think tanks like the Brookings Institution and the Washington Institute. This impersonation strategy added a sense of credibility, increasing the likelihood of the attack’s success.
The targets included more than 20 subject matter experts at a U.S.-based think tank focusing on Iran-related policy matters. In one instance, the threat actor, after receiving a reply, insisted on verifying the target’s identity and the authenticity of their email address before moving forward with any collaboration.
“I am reaching out to confirm whether a recent email expressing interest in our institute’s research project was indeed sent by you,” the email read. “The message was received from an address that does not appear to be your primary email, and I wanted to ensure the authenticity before proceeding further.”
Afterward, the attackers sent a link to documents they claimed would be discussed in an upcoming meeting. However, clicking the link Redirected the victim to a fake landing page designed to steal Microsoft account credentials.
In another version of the attack chain, the URL mimicked a Microsoft Teams login page and displayed a “Join now” button. Yet, the subsequent stages that Activated after clicking this button remain unclear.
Proofpoint also Observed that the Adversary removed the Password requirement on the Phishing page after the target “communicated suspicions,” instead Redirecting them to a spoofed OnlyOffice login page hosted on “thebesthomehealth[.]com.”
“UNK_SmudgedSerpent’s reference to OnlyOffice URLs and health-themed domains is reminiscent of TA455 activity,” Naumaan noted. “TA455 began registering health-related domains at least since October 2024 following a consistent stream of domains with aerospace interest, with OnlyOffice becoming popular to host files more recently in June 2025.”
The Counterfeit OnlyOffice site hosted a ZIP archive containing an MSI installer that launched PDQ Connect, while other Accompanying documents served as decoys.
Evidence also suggests that UNK_SmudgedSerpent Conducted Hands-on-keyboard activity, Installing additional RMM tools such as ISL Online through PDQ Connect. However, the reason for Deploying two separate RMM programs remains unknown.
Additionally, other Phishing emails from the threat actor targeted a U.S.-based academic, Requesting help with an investigation into the IRGC. Another message, sent in early August 2025, solicited collaboration on a research project titled “Iran’s Expanding Role in Latin America and U.S. Policy Implications.”
“The campaigns align with Iran’s intelligence collection, focusing on Western policy analysis, academic research, and strategic technology,” Proofpoint concluded. “The operation hints at evolving cooperation between Iranian intelligence entities and cyber units, marking a shift in Iran’s espionage ecosystem.”
Source: TheHackerNews
Read more at Impreza News
