Proofpoint researchers uncovered a new Iran-linked threat cluster, dubbed UNK_SmudgedSerpent, that conducted espionage-themed phishing operations targeting academics and foreign policy experts between June and August 2025.
The campaigns used social engineering tactics, spoofed collaboration tools, and legitimate remote monitoring software to infiltrate targets focused on Iranian domestic and geopolitical issues.
A Hybrid of Known Iranian Tactics
Proofpoint initially observed the group launching benign email conversations about societal change and political unrest in Iran, later expanding to deliver credential-harvesting links and remote administrative payloads.
The activity overlapped with several known Iranian groups, including TA453 (Charming Kitten/Mint Sandstorm), TA455 (C5 Agent/Smoke Sandstorm), and TA450 (MuddyWater/Mango Sandstorm).
In one campaign, the actor impersonated Suzanne Maloney, a Brookings Institution director, using Gmail accounts to contact over 20 think tank members.
The email thread progressed from benign outreach to a spoofed OnlyOffice collaboration invite that led to a fake Microsoft 365 login page hosted on attacker-operated health-themed domains such as thebesthomehealth[.]com and mosaichealthsolutions[.]com.
The malicious link reappeared across multiple variants, including a Microsoft Teams spoof, to harvest credentials. After targets flagged suspicious activity, the attackers shifted delivery methods, eventually hosting decoy PDFs and MSI payloads on the exact domains.
The MSI installer ran PDQConnect, a legitimate remote management tool, enabling hands-on keyboard access and second-stage deployment of ISL Online, an additional RMM utility.
The use of commercial RMM software for persistence mirrored TA450’s operational style, though the overlapping infrastructure and techniques complicated attribution.
Infrastructure Blends TA455 and TA450 Elements
Further infrastructure analysis identified additional domains, healthcrescent[.]com and ebixcareers[.]com, that share configurations with TA455 assets.
Some of these domains hosted fake recruitment portals that distributed archives containing TA455-linked malware, including MiniJunk, a variant of the MiniBike backdoor. Other payloads, such as “Interview time.msi,” installed PDQConnect, echoing UNK_SmudgedSerpent’s prior infection chain.
This convergence of infrastructure and malware suggested shared development resources or overlapping contractors within Iran’s cyber ecosystem.
Proofpoint hypothesized several possible explanations, including centralized procurement of infrastructure, personnel rotation between threat units, or parallel contracting arrangements across different Iranian intelligence entities such as the IRGC and MOIS.
Although no new campaigns have been observed since August 2025, Proofpoint continues to track UNK_SmudgedSerpent separately from established Iranian APTs.
The group’s focus on academic and policy circles and use of legitimate tools highlight an evolving operational model that blends espionage tradecraft with commercial software to evade detection and maintain long-term access.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.png?resize=1068,580&ssl=1&description=Iranian APT targeting academics - Proofpoint researchers uncovered a new Iran-linked threat cluster, dubbed UNK_SmudgedSerpent, that conducted){kind=link}