A previously undocumented threat cluster, dubbed ‘UNK_SmudgedSerpent,’ has been linked to a wave of sophisticated phishing and credential theft campaigns aimed at academics and foreign policy experts between June and August 2025, according to a new report from Proofpoint.
The attacks coincide with escalating geopolitical tensions between Iran and Israel and appear designed to compromise individuals focused on Iranian domestic and foreign policy issues.
Proofpoint researchers said UNK_SmudgedSerpent used politically charged lures, referencing “societal change in Iran” and the “militarization of the Islamic Revolutionary Guard Corps (IRGC),” to entice victims. The campaign’s tactics, techniques, and procedures (TTPs) bear strong resemblance to known Iranian cyber espionage groups, including TA455 (Smoke Sandstorm), TA453 (Charming Kitten), and TA450 (MuddyWater).
Much like Charming Kitten’s previous operations, the attackers initiated benign email exchanges to build trust before delivering phishing links. The links led victims to download malicious MSI installers disguised as legitimate software such as Microsoft Teams that ultimately deployed Remote Monitoring and Management (RMM) tools like PDQ Connect, a tactic associated with MuddyWater activity.
In several cases, the adversaries impersonated US foreign policy figures from respected think tanks. Over 20 US-based Iran policy experts were targeted, Proofpoint said.
Victims were directed to spoofed Microsoft or OnlyOffice login pages designed to steal credentials. Proofpoint noted that the attackers dynamically altered the phishing infrastructure by removing password prompts and redirecting suspicious targets to fake OnlyOffice pages hosted on health-themed domains.
The tactics resemble those seen in TA455, which began using health-related domains and OnlyOffice-themed lures in late 2024. Some infections also revealed hands-on-keyboard activity, where attackers manually installed additional RMM tools such as ISL Online via PDQ Connect, though the purpose of using multiple RMM programs remains unclear.
