A sophisticated, previously unobserved cyber threat actor, which researchers have designated UNK_SmudgedSerpent, has been tied to a series of targeted attacks against academics and foreign policy experts. These incursions took place over the summer months, specifically between June and August 2025, a timeframe that directly overlapped with escalated geopolitical tensions between the nations of Iran and Israel. This timing suggests a highly motivated and contextually aware operation, focusing on individuals likely possessing sensitive knowledge or influence in this volatile region.
The core strategy of UNK_SmudgedSerpent involved leveraging highly specific and emotionally charged domestic political issues to ensnare their targets. According to a new report from security firm Proofpoint, the threat actors employed lures related to major events like societal change in Iran and ongoing investigations into the militarization of the Islamic Revolutionary Guard Corps (IRGC). This tactical use of relevant, high-interest themes significantly increases the probability that targets will engage with the malicious communications, making the campaigns particularly effective within this specialized victim pool.
Proofpoint’s analysis reveals that this new cluster of activity bears striking tactical similarities to prior operations executed by several established Iranian cyber espionage groups. Specifically, the techniques mirror those used by groups known as TA455 (Smoke Sandstorm), TA453 (Charming Kitten), and TA450 (MuddyWater). This overlap suggests that UNK_SmudgedSerpent may be a newly formed unit, a splinter group, or an operation utilizing the collective toolset and playbook of these prominent state-affiliated actors.
A significant portion of the email attacks exhibited all the classic traits associated with Charming Kitten. In these instances, the threat actors would initiate seemingly benign, prolonged conversations with prospective victims, a technique known as “reeling in,” to establish trust before launching the actual phishing attempt. Once trust was gained, the final stage of the attack was initiated, aiming to trick the target into surrendering their sensitive login credentials.
Furthermore, in specific attack variations, the digital communications contained malicious URLs designed to compel recipients to download a file masquerading as a legitimate Microsoft Teams installer. This file, however, was in fact an MSI installer that delivered legitimate yet potent Remote Monitoring and Management (RMM) software, such as PDQ Connect. This particular method of weaponizing legitimate IT tools is a favored tactic frequently observed and embraced by the MuddyWater threat group, and was enhanced by the attackers impersonating high-profile U.S. foreign policy figures from influential think tanks like the Brookings Institution to boost the perceived legitimacy and ultimate success of the phishing campaign.
Reference:
