A previously unknown cyber actor targeting academics and foreign policy experts between June and August 2025 has been identified as UNK_SmudgedSerpent by cybersecurity researchers.
According to an advisory published by Proofpoint today, the group targeted individuals focused on Iran and global political developments, initiating contact through seemingly harmless conversations before attempting to steal credentials and deliver malware.
This activity combined techniques typically seen across multiple Iranian-linked threat groups, yet did not align cleanly with any single one. Proofpoint said the cluster shares traits with TA453, TA455 and TA450, but the overlaps are not strong enough for definitive attribution.
Multi-stage Lure and Delivery Chain
Investigators first observed an email discussing economic strains and unrest in Iran in June, sent to more than 20 think tank experts in the US.
After replies, attackers escalated the conversation and introduced spoofed collaboration materials via an OnlyOffice-styled link. The URL ultimately led to health-themed domains that collected credentials and delivered a ZIP file containing an MSI used to load remote monitoring and management (RMM) tools.
Those tools included PDQConnect and later ISL Online – a sequence researchers found unusual in nation-state operations.
Read more on Iranian cyber operations: Iranian Hacking Group Nimbus Manticore Expands European Targeting
Early messages impersonated Brookings Institution vice president Suzanne Maloney, using a slightly misspelled Gmail account. Later waves spoofed policy expert Patrick Clawson, targeting an academic believed to be Israeli, then returning in August with lures tied to Iran’s activities in Latin America.
Key tactics used by UNK_SmudgedSerpent included:
-
Benign conversation starters
-
Think tank and policy-themed impersonation
-
OnlyOffice and Microsoft 365 spoofs
-
Health-related infrastructure
-
Deployment of RMM tools
Activity Paused but Concerns Persist
Though the group’s timing aligned with heightened Iran–Israel tensions, Proofpoint found no direct connection to those events.
Instead, researchers suggested possible explanations for the tactical overlap, ranging from shared infrastructure procurement to personnel movement between Iranian contracting outfits. The blending of lure styles, infrastructure and malware across known clusters further complicates attribution.
“The appearance of a new actor with borrowed techniques suggests there may be personnel mobility or exchange between teams, but with a consistent remit; however, there is no confirmed attribution for UNK_SmudgedSerpent at the time of writing,” Proofpoint said.
“The TTPs and infrastructure are an extension of previously observed behavior from Iranian threat groups, and the targeting of Iran foreign policy experts continues to reflect the Iranian government’s intelligence collection priorities.”
UNK_SmudgedSerpent activity stopped appearing in email telemetry in early August. Yet, infrastructure tied to the group later surfaced, hosting TA455-linked malware, indicating continued overlap and the possibility of ongoing operations.
