A never-before-seen threat activity cluster codenamed UNK_SmudgedSerpent has been attributed as behind a set of cyber attacks targeting academics and foreign policy experts between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel.
“UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the militarization of the Islamic Revolutionary Guard Corps (IRGC),” Proofpoint security researcher Saher Naumaan said in a new report shared with The Hacker News.
The enterprise security company said the campaign shares tactical similarities with that of prior attacks mounted by Iranian cyber espionage groups like TA455 (aka Smoke Sandstorm or UNC1549), TA453 (aka Mint Sandstorm or Charming Kitten), and TA450 (aka MuddyWater or Mango Sandstorm).
The email messages bear all hallmarks of a classic Charming Kitten attack, with the threat actors reeling in prospective targets by engaging with them in benign conversations before attempting to phish for their credentials.
In some cases, the emails have been found to contain malicious URLs to trick victims into downloading an MSI installer that, while masquerading as Microsoft Teams, ultimately deploys legitimate Remote Monitoring and Management (RMM) software like PDQ Connect, a tactic often embraced by MuddyWater.
Proofpoint said the digital missives have also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute to lend them a veneer of legitimacy and increase the likelihood of success of the attack.
Targets of these efforts are over 20 subject matter experts of a U.S.-based think tank who focus on Iran-related policy matters. In at least one case, the threat actor, upon receiving a response, is said to have insisted on verifying the identity of the target and the authenticity of the email address before proceeding further for any collaboration.
“I am reaching out to confirm whether a recent email expressing interest in our institute’s research project was indeed sent by you,” read the email. “The message was received from an address that does not appear to be your primary email, and I wanted to ensure the authenticity before proceeding further.”
Subsequently, the attackers sent a link to certain documents that they claimed would be discussed in an upcoming meeting. Clicking the link, however, takes the victim to a bogus landing page that’s designed to harvest their Microsoft account credentials.
In another variant of the infection chain, the URL mimics a Microsoft Teams login page along with a “Join now” button. However, the follow-on stages activated after clicking the supposed meeting button are unclear at this stage.
Proofpoint noted that the adversary removed the password requirement on the credential harvesting page after the target “communicated suspicions,” instead directly taking them to a spoofed OnlyOffice login page hosted on “thebesthomehealth[.]com.”
“UNK_SmudgedSerpent’s reference to OnlyOffice URLs and health-themed domains is reminiscent of TA455 activity,” Naumaan said. “TA455 began registering health-related domains at least since October 2024 following a consistent stream of domains with aerospace interest, with OnlyOffice becoming popular to host files more recently in June 2025.”
Hosted on the counterfeit OnlyOffice site is a ZIP archive containing an MSI installer that, in turn, launches PDQ Connect. The other documents, per the company, are assessed to be decoys.
There is evidence to suggest that UNK_SmudgedSerpent engaged in possible hands-on-keyboard activity to install additional RMM tools like ISL Online through PDQ Connect. The reason behind the sequential deployment of two distinct RMM programs is not known.
Other phishing emails sent by the threat actor have targeted a U.S.-based academic, seeking assistance in investigating the IRGC, as well as another individual in early August 2025, soliciting a potential collaboration on researching “Iran’s Expanding Role in Latin America and U.S. Policy Implications.”
“The campaigns align with Iran’s intelligence collection, focusing on Western policy analysis, academic research, and strategic technology,” Proofpoint said. “The operation hints at evolving cooperation between Iranian intelligence entities and cyber units, marking a shift in Iran’s espionage ecosystem.”
