Security researchers uncover “UNK_SmudgedSerpent,” a sophisticated phishing operation mirroring tactics used by Tehran’s known cyber units
A newly identified cyber espionage operation linked to the Iranian regime has targeted academics and foreign policy experts focusing on Iran between June and August 2025, according to a new report by cybersecurity firm Proofpoint.
The threat cluster, codenamed UNK_SmudgedSerpent, has been described as an advanced and previously unseen campaign that coincides with heightened geopolitical tensions between Iran and Israel. Researchers say the operation used social engineering and phishing tactics to gain access to the credentials of experts engaged in research on Iran and its regional activities.
According to Saher Naumaan, a senior threat researcher at Proofpoint, the attackers “leveraged domestic political themes,” including discussions about social change in Iran and investigations into the militarization of the Islamic Revolutionary Guard Corps (IRGC). These lures were designed to appear credible to specialists on Iranian affairs, thereby increasing the likelihood of engagement.
Mimicking Prominent U.S. Institutions
Proofpoint’s analysis shows that the campaign shares notable similarities with operations previously conducted by Iranian espionage groups such as TA455 (Smoke Sandstorm/UNC1549), TA453 (Charming Kitten), and TA450 (MuddyWater)—all of which have ties to Tehran’s intelligence apparatus.
The emails used in the attacks often imitated well-known U.S. think tanks, including the Brookings Institution and the Washington Institute, to gain the trust of recipients. The threat actors posed as respected foreign policy experts, initiating benign email exchanges before attempting to lure targets into credential theft schemes.
In some cases, victims were tricked into downloading an MSI installer disguised as Microsoft Teams, which instead installed legitimate remote monitoring software such as PDQ Connect—a method long favored by the MuddyWater group.
Deceptive Tactics and Multi-Stage Infiltration
Once contact was established, attackers sent links to supposed research documents or meeting materials. These links led to fake login pages imitating Microsoft or OnlyOffice platforms, designed to steal Microsoft account credentials.
Proofpoint investigators found that after one target expressed suspicion, the attackers quickly modified their phishing page to bypass password prompts, directing the victim instead to a counterfeit OnlyOffice login hosted on a domain resembling a healthcare service — a recurring pattern seen in Iranian cyber operations.
The fake site contained a ZIP archive with an MSI installer launching PDQ Connect, potentially allowing the attackers remote access to compromised systems. In several cases, the attackers reportedly followed up by manually installing additional monitoring tools, including ISL Online, suggesting direct involvement by human operators.
Focused Targeting of Iran Policy Researchers
The operation specifically targeted more than 20 subject matter experts affiliated with a U.S.-based think tank that focuses on Iranian foreign and security policy.
In one instance, an email purporting to be from a researcher claimed to be verifying the authenticity of a previous message before proposing a collaboration. The correspondence later led to the credential theft attempt. Another message, sent in early August 2025, sought assistance in researching “Iran’s expanding role in Latin America and U.S. policy implications.”
A Sign of Evolving Coordination Among Iranian Cyber Units
Proofpoint’s findings suggest that the campaign reflects an evolution in Iran’s intelligence operations, with greater coordination between traditional intelligence bodies and cyber espionage units.
“The campaigns align with Iran’s intelligence collection priorities, focusing on Western policy analysis, academic research, and strategic technologies,” Proofpoint stated. The company warned that such operations demonstrate a maturing ecosystem of Iranian cyber espionage, expanding both in technical capability and geopolitical focus.
Broader Context
The emergence of UNK_SmudgedSerpent comes at a time of intensified conflict between Iran and Israel, and amid growing international scrutiny of Tehran’s cyber operations. Western intelligence agencies have repeatedly warned that Iranian-linked groups are increasingly targeting researchers, journalists, and policymakers engaged in Middle East affairs.
Cybersecurity experts emphasize that the latest campaign marks a significant escalation in Tehran’s digital intelligence-gathering capabilities — a shift from broad, opportunistic phishing toward highly tailored, socially engineered attacks aimed at strategic policy circles.
Sources: Proofpoint, The Hacker News
