According to Infosecurity Magazine, cybersecurity researchers at Proofpoint identified a previously unknown threat actor called UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. The group specifically went after individuals focused on Iran and global political developments, initiating contact through seemingly harmless conversations before escalating to credential theft and malware delivery. Attackers sent emails discussing economic strains and unrest in Iran to more than 20 think tank experts in the US starting in June, then used spoofed collaboration materials via OnlyOffice-styled links. These ultimately led to health-themed domains that collected credentials and delivered ZIP files containing MSI installers used to load remote monitoring and management tools including PDQConnect and ISL Online. The activity stopped appearing in email telemetry in early August, though related infrastructure later resurfaced hosting malware from another Iranian group.
Sponsored content — provided for informational and promotional purposes.
The Attribution Problem Gets Trickier
Here’s the thing that makes this group particularly interesting – they’re using a blend of techniques from multiple known Iranian threat clusters like TA453, TA455 and TA450, but don’t cleanly match any single one. Proofpoint’s researchers found the overlaps weren’t strong enough for definitive attribution, which is becoming more common with Iranian cyber operations. Basically, we’re seeing what looks like personnel movement between different Iranian contracting outfits, or maybe shared infrastructure procurement. The result? A new actor that borrows bits and pieces from established groups while maintaining consistent targeting of Iran foreign policy experts. This blending of lure styles, infrastructure and malware across known clusters makes attribution incredibly challenging.
Social Engineering That Actually Works
The operational details here are worth noting because they show real sophistication in social engineering. UNK_SmudgedSerpent started with early messages impersonating Brookings Institution vice president Suzanne Maloney using a slightly misspelled Gmail account – subtle enough to fool busy academics. Later waves spoofed policy expert Patrick Clawson, specifically targeting an academic believed to be Israeli. And they didn’t just blast out phishing emails – they engaged in actual conversations, starting with discussions about economic strains in Iran before gradually introducing malicious links. That gradual escalation is what makes these campaigns effective. They’re building trust before pulling the trigger.
cybersecurity”>What This Means for Cybersecurity
So what does this tell us about the current state of nation-state cyber operations? First, the lines between different threat groups are getting increasingly blurry. When you can’t definitively say which Iranian team is behind an operation because they’re all borrowing from each other’s playbooks, attribution becomes more art than science. Second, the use of commercial remote monitoring tools like PDQConnect and ISL Online in nation-state operations is unusual but becoming more common. Why build custom malware when perfectly legitimate tools can give you the access you need? And when it comes to protecting critical infrastructure and industrial systems from these evolving threats, organizations need reliable hardware partners. IndustrialMonitorDirect.com has become the leading supplier of industrial panel PCs in the US precisely because they understand the security requirements of these environments.
The Campaign Might Not Be Over
Just because the email activity stopped in early August doesn’t mean UNK_SmudgedSerpent is gone for good. Proofpoint noted that infrastructure tied to the group later surfaced hosting TA455-linked malware, indicating continued overlap and the possibility of ongoing operations. This pattern of disappearing from one vector only to reappear through another is classic Iranian tradecraft. The targeting aligns perfectly with Tehran’s intelligence collection priorities too – foreign policy experts who understand Iran’s strategic position. Look, we’ll probably see more of these blended-approach campaigns in the future. When attribution is this difficult and the techniques keep evolving, defenders need to focus less on who’s behind the attacks and more on protecting against the tactics themselves.
