Unveiling ‘SmudgedSerpent’: The Covert Cyber Threat Targeting U.S. Policy Experts Amid Iran-Israel Tensions
Between June and August 2025, a previously unidentified cyber threat group, designated as UNK_SmudgedSerpent, orchestrated a series of sophisticated attacks targeting academics and foreign policy experts in the United States. These incidents coincided with escalating geopolitical tensions between Iran and Israel, suggesting a strategic motive behind the cyber activities.
According to a report by Proofpoint security researcher Saher Naumaan, UNK_SmudgedSerpent employed lures centered on domestic political issues, such as societal changes in Iran and investigations into the militarization of the Islamic Revolutionary Guard Corps (IRGC). This approach indicates a calculated effort to engage individuals deeply involved in Middle Eastern policy analysis.
The tactics observed in this campaign bear striking similarities to those used by known Iranian cyber espionage groups, including TA455 (also known as Smoke Sandstorm or UNC1549), TA453 (Charming Kitten or Mint Sandstorm), and TA450 (Mango Sandstorm or MuddyWater). These parallels suggest a possible connection or shared methodologies among these entities.
Phishing Tactics and Credential Harvesting
The attackers initiated contact through emails that mirrored the techniques of Charming Kitten, engaging targets in seemingly innocuous conversations before attempting to extract sensitive information. In several instances, the emails contained malicious links designed to deceive recipients into downloading MSI installers disguised as legitimate applications like Microsoft Teams. Once executed, these installers deployed Remote Monitoring and Management (RMM) software such as PDQ Connect, a tactic previously associated with MuddyWater operations.
To enhance the credibility of their communications, the threat actors impersonated prominent U.S. foreign policy figures affiliated with esteemed think tanks like the Brookings Institution and the Washington Institute. This impersonation aimed to increase the likelihood of the targets engaging with the malicious content.
Targeted Individuals and Social Engineering
The campaign primarily focused on over 20 subject matter experts from a U.S.-based think tank specializing in Iran-related policy matters. In one notable case, after receiving a response from a target, the attackers insisted on verifying the individual’s identity and the authenticity of their email address before proceeding with any collaboration. This meticulous approach underscores the attackers’ commitment to establishing trust and legitimacy.
An example of such communication reads:
I am reaching out to confirm whether a recent email expressing interest in our institute’s research project was indeed sent by you. The message was received from an address that does not appear to be your primary email, and I wanted to ensure the authenticity before proceeding further.
Following this exchange, the attackers provided a link to documents purportedly relevant to an upcoming meeting. However, clicking the link redirected the victim to a counterfeit landing page designed to harvest their Microsoft account credentials.
Evolving Attack Vectors
In another variant of the attack, the malicious URL mimicked a Microsoft Teams login page featuring a Join now button. The subsequent stages triggered upon clicking this button remain unclear, indicating a potential evolution in the attackers’ methods.
Proofpoint observed that when a target expressed suspicion, the adversaries adapted by removing the password requirement on the credential harvesting page, instead directing them to a spoofed OnlyOffice login page hosted on a domain named thebesthomehealth[.]com.
UNK_SmudgedSerpent’s reference to OnlyOffice URLs and health-themed domains is reminiscent of TA455 activity, Naumaan noted. TA455 began registering health-related domains at least since October 2024 following a consistent stream of domains with aerospace interest, with OnlyOffice becoming popular to host files more recently in June 2025.
The counterfeit OnlyOffice site hosted a ZIP archive containing an MSI installer that, when executed, launched PDQ Connect. The other documents provided were assessed to be decoys, serving to distract the victim while the malicious software was deployed.
Advanced Persistence Techniques
Evidence suggests that UNK_SmudgedSerpent engaged in hands-on-keyboard activity to install additional RMM tools like ISL Online through PDQ Connect. The rationale behind the sequential deployment of multiple RMM programs remains unclear but indicates a sophisticated approach to maintaining persistent access to compromised systems.
Other phishing emails from the threat actor targeted a U.S.-based academic, seeking assistance in investigating the IRGC, and another individual in early August 2025, soliciting collaboration on researching Iran’s Expanding Role in Latin America and U.S. Policy Implications.
Implications and Strategic Objectives
Proofpoint’s analysis suggests that these campaigns align with Iran’s intelligence collection priorities, focusing on Western policy analysis, academic research, and strategic technology. The operation hints at evolving cooperation between Iranian intelligence entities and cyber units, marking a shift in Iran’s espionage ecosystem.
The emergence of UNK_SmudgedSerpent underscores the dynamic nature of cyber threats and the importance of vigilance among policy experts and academics. By leveraging sophisticated social engineering tactics and advanced malware deployment strategies, this group exemplifies the evolving landscape of state-sponsored cyber espionage.
