editorially independent. We may make money when you click on links
to our partners.
Learn More
In mid-2025, security researchers at Proofpoint began tracking a new and previously unidentified espionage campaign targeting academics and foreign policy experts.
The threat actor, designated UNK_SmudgedSerpent, used highly targeted phishing techniques and credential theft operations designed to gather intelligence related to Iranian political and military developments.
The group’s tactics closely mirrored those of known Iranian state-aligned actors such as TA453 (Charming Kitten), TA455 (Smoke Sandstorm), and TA450 (MuddyWater) — but with enough variations to make definitive attribution uncertain.
Emergence of UNK_SmudgedSerpent
Between June and August 2025, Proofpoint identified multiple phishing campaigns originating from this actor.
The first campaign began with benign emails discussing Iran’s internal politics and economic uncertainty, sent to researchers and analysts in the United States.
The messages often impersonated well-known figures from reputable think tanks such as the Brookings Institution, including a spoofed persona of Dr. Suzanne Maloney, a prominent Iran policy expert.
These initial messages sought to establish credibility and rapport before introducing malicious links disguised as collaboration materials.
When recipients responded, the attackers continued the conversation, later sending URLs that appeared to host legitimate documents through platforms like OnlyOffice or Microsoft Teams.
Instead, the links redirected victims to health-themed attacker-controlled domains such as thebesthomehealth[.]com and mosaichealthsolutions[.]com, where customized credential harvesting pages awaited.
A Subtle Start to a Sophisticated Attack
The infection chain began innocuously — with a benign email — then progressed to credential theft and, in some cases, malware deployment.
Proofpoint researchers observed that UNK_SmudgedSerpent’s operational style combined elements of several Iranian threat groups.
The group’s infrastructure included spoofed login portals, health- and recruitment-themed domains, and the use of Remote Monitoring & Management (RMM) tools such as PDQConnect and ISL Online.
While the use of legitimate RMM software for persistence and lateral movement is not unique, it is a bit unusual in state-sponsored campaigns.
The same technique has been previously associated with TA450, which often uses such tools for covert access and data collection.
Likewise, the OnlyOffice spoofing technique mirrored TA455 operations, and the use of benign conversation starters resembled TA453’s social engineering tactics.
Proofpoint’s timeline revealed that UNK_SmudgedSerpent activity was topical, focusing on regional developments such as Iran’s domestic unrest and foreign policy activities in Latin America.
Later campaigns involved impersonations of Patrick Clawson from the Washington Institute, suggesting an evolving social engineering strategy and continued attempts to target U.S.-based experts.
Blurring the Lines of Iranian Cyber Ops
Despite extensive overlap in tactics, techniques, and procedures (TTPs) with established Iranian groups, Proofpoint could not confidently attribute UNK_SmudgedSerpent to any single actor.
Analysts proposed several hypotheses to explain the convergence of techniques, including shared resources between contracting companies, personnel movement among teams, or even institutional collaboration between Iran’s Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS).
These overlaps reflect the broader complexity of Iran’s cyber-espionage ecosystem, where multiple groups operate semi-independently but may draw from common infrastructure or developer pools.
This ambiguity makes it difficult for defenders to distinguish between distinct operations or determine when a campaign represents a new actor versus an evolution of an existing one.
The discovery of UNK_SmudgedSerpent highlights the continuing sophistication of Iranian cyber operations and their persistent focus on intelligence collection targeting Western policy institutions.
The campaign’s use of legitimate cloud services, customized login pages, and social engineering demonstrates how threat actors exploit trust and familiarity to bypass traditional defenses.
Layered Defense Against Phishing
Defending against modern phishing and credential-theft campaigns requires layered, proactive controls that go beyond just user awareness.
- Implement strong email authentication: Use DMARC, SPF, and DKIM to detect and block spoofed sender domains.
- Deploy advanced email and web filtering: Use sandboxing and threat detection tools to identify malicious URLs and attachments before delivery.
- Adopt phishing-resistant authentication: Employ multi-factor authentication (MFA) and hardware security keys to prevent credential theft from leading to compromise.
- Monitor for anomalous behavior: Use User and Entity Behavior Analytics (UEBA) and endpoint detection tools to identify suspicious logins or RMM tool deployments.
- Conduct regular phishing simulations and awareness training: Educate employees on identifying impersonation tactics, unexpected meeting invites, and unfamiliar login portals.
- Restrict and audit third-party software use: Limit access to remote management tools and enforce strict logging and alerting for administrative activity.
By combining these measures, organizations can create a resilient defense that limits attacker movement and reduces the impact of social engineering campaigns.
The UNK_SmudgedSerpent campaign highlights that true cybersecurity relies on continuous adaptation, collaboration, and shared intelligence rather than just technology alone.
Building on that foundation, adopting a zero-trust architecture ensures stronger cyber resilience by verifying every connection, limiting lateral movement, and minimizing the impact of inevitable breaches.
