Iran's Elusive "SmudgedSerpent' APT Phishes US Policy Wonks - Dark Reading

TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE CYBER RISK DATA PRIVACY NEWS Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy Wonks Iran is spying on American foreign policy influencers. But exactly which of its government's APTs is responsible remains a mystery. Nate Nelson,Contributing Writer November 5, 2025 4 Min Read SOURCE: ROBERTHARDING VIA ALAMY STOCK PHOTO Iran has carried out highly targeted phishing attacks against prominent US think tanks this summer. Have you ever wondered what the people who don't like you are saying about you? In that way alone, perhaps, you're rather like the Islamic Republic of Iran. Between June and August 2025, the Iranian government spied on American academics and foreign policy experts, hoping to gather strategic intelligence (or maybe just a little gossip). It's not yet clear, though, exactly which threat actor did all of the snooping. Proofpoint has labeled the group "UNK_SmudgedSerpent" for now, as its tactics, techniques, and procedures (TTPs) overlap with most of Iran's major advanced persistent threats (APTs). The group went after the same targets as, and borrowed its approach to phishing from, TA453 (also known as Charming Kitten, Mint Sandstorm). On the other hand, it used infrastructure aligned with that of TA455 (Smoke Sandstorm). And it was the only Iranian threat actor known to deploy remote monitoring and management (RMM) software, besides TA450 (MuddyWater, Mango Sandstorm). Related:Nation-State Actor Embraces AI Malware Assembly Line Iran Spying on US Policy Experts Suzanne Maloney, vice president and director of the Foreign Policy program at the influential Brookings Institution, refers to herself as an "Iran junkie" in her X bio. UNK_SmudgedSerpent clearly did its homework to impersonate someone so central in US discourse around Iranian affairs. In mid-June 2025, the group tried to impersonate Maloney using a slightly misspelled Gmail account and a diligently designed email signature. It sent emails to 20 other members of another US think tank, using the now-trite tactic of offering to collaborate on a project. In other later cases, the hackers spoofed economist and Middle East scholar Patrick Clawson, using lures much more directly referencing Iranian geopolitical affairs. If it engaged a target, UNK_SmudgedSerpent would first vet them, and then send a malicious URL masquerading as a link to the open source (OSS) productivity platform OnlyOffice, or Microsoft Teams. Through a suspicious redirect, the link landed on a Microsoft 365 credential phishing page, with the victim's email and their employer's logo preloaded for authenticity. In the attack chain Proofpoint observed, the victim expressed suspicion about the Microsoft portal, so UNK_SmudgedSerpent double dipped. It tried to get its victim to download decoy documents and a zip file, sold as being relevant to the fake collaboration initiative. The zip contained an installer for an RMM and, oddly, UNK_SmudgedSerpent then deployed a second RMM. The researchers had trouble explaining this bit. "It is possible UNK_SmudgedSerpent may have deployed RMM software as a throwaway option after the credential harvesting attempt didn’t succeed, and the threat actor became suspicious of Proofpoint’s investigation," the report stated. Related:Life Mirrors Art: Ransomware Hits Hospitals on TV & IRL The strangest thing of all, though, was how oddly this whole picture looked against the backdrop of known Iranian threat activity. The researchers characterized stage one of the attack — the types of people UNK_SmudgedSerpent targeted, the tone of its phishing messages, the email provider it used, the fake Microsoft Teams link, and the goal of stealing credentials and dropping malware — as highly reminiscent of the group known commonly as Charming Kitten. But the OnlyOffice bit, and all of the infrastructure that supported the attack, looked a lot more like TA455's doing. To make matters more confusing, they noted that among all of Iran's government-aligned threat actors, only MuddyWater has been known to utilize RMMs. Who is UNK_SmudgedSerpent — and Does it Matter? Proofpoint came up with a few hypotheses regarding why UNK_SmudgedSerpent so stubbornly refuses to fit into one box. It could be, for example, that one or more cyber teams within Iran's government have dissolved, merged, or otherwise reorganized, and that members have carried over specialties with them.  Related:The Case for Why Better Breach Transparency Matters Another explanation is there might be some centralized entity that helps multiple groups with their infrastructure or malware. Or, perhaps, there is an element of collaboration or exchange between the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence Services (MOIS) — the two agencies that house the government's cyber threat actors. There are more possibilities still. Many of Iran's state hackers are trained in the same place, so it could be that outwardly different groups employ members with similar, fluid skill sets. Saher Naumaan, senior threat researcher at Proofpoint, says that "while facilitating organizations or contractors in Iran are often agency-specific, there are examples of academies or training organizations that serve both the IRGC and MOIS, meaning skills or techniques could be not only shared across teams but also across agencies." For Naumaan, knowing exactly who's behind attacks like these isn't just academically interesting. It's central to an intelligence-driven approach to security and, less obviously, "attribution is relevant in a business sense for leaders and directors of organizations to justify the financial and resourcing investment into cybersecurity and threat intelligence. For a given company with a particular threat model, attackers will have targeted similar organizations in that sector or geography before and are likely to again, which provides evidence for the realistic threat the organization faces, what a potential compromise might look like, and actionable steps to prevent one." She admits that "the impact [of attribution] is definitely difficult to quantify, but it's hard to defend against a threat you don't understand." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use