Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy Wonks

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Iran is spying on American foreign policy influencers. But exactly which of its government's APTs is responsible remains a mystery.November 5, 2025Iran has carried out highly targeted phishing attacks against prominent US think tanks this summer.Have you ever wondered what the people who don't like you are saying about you? In that way alone, perhaps, you're rather like the Islamic Republic of Iran. Between June and August 2025, the Iranian government spied on American academics and foreign policy experts, hoping to gather strategic intelligence (or maybe just a little gossip).It's not yet clear, though, exactly which threat actor did all of the snooping. Proofpoint has labeled the group "UNK_SmudgedSerpent" for now, as its tactics, techniques, and procedures (TTPs) overlap with most of Iran's major advanced persistent threats (APTs). The group went after the same targets as, and borrowed its approach to phishing from, TA453 (also known as Charming Kitten, Mint Sandstorm). On the other hand, it used infrastructure aligned with that of TA455 (Smoke Sandstorm). And it was the only Iranian threat actor known to deploy remote monitoring and management (RMM) software, besides TA450 (MuddyWater, Mango Sandstorm).Suzanne Maloney, vice president and director of the Foreign Policy program at the influential Brookings Institution, refers to herself as an "Iran junkie" in her X bio. UNK_SmudgedSerpent clearly did its homework to impersonate someone so central in US discourse around Iranian affairs.Related:SonicWall Firewall Backups Stolen by Nation-State ActorIn mid-June 2025, the group tried to impersonate Maloney using a slightly misspelled Gmail account and a diligently designed email signature. It sent emails to 20 other members of another US think tank, using the now-trite tactic of offering to collaborate on a project. In other later cases, the hackers spoofed economist and Middle East scholar Patrick Clawson, using lures much more directly referencing Iranian geopolitical affairs.If it engaged a target, UNK_SmudgedSerpent would first vet them, and then send a malicious URL masquerading as a link to the open source (OSS) productivity platform OnlyOffice, or Microsoft Teams. Through a suspicious redirect, the link landed on a Microsoft 365 credential phishing page, with the victim's email and their employer's logo preloaded for authenticity.In the attack chain Proofpoint observed, the victim expressed suspicion about the Microsoft portal, so UNK_SmudgedSerpent double dipped. It tried to get its victim to download decoy documents and a zip file, sold as being relevant to the fake collaboration initiative. The zip contained an installer for an RMM and, oddly, UNK_SmudgedSerpent then deployed a second RMM. The researchers had trouble explaining this bit. "It is possible UNK_SmudgedSerpent may have deployed RMM software as a throwaway option after the credential harvesting attempt didn’t succeed, and the threat actor became suspicious of Proofpoint’s investigation," the report stated.Related:Nikkei Suffers Breach Via Slack CompromiseThe strangest thing of all, though, was how oddly this whole picture looked against the backdrop of known Iranian threat activity. The researchers characterized stage one of the attack — the types of people UNK_SmudgedSerpent targeted, the tone of its phishing messages, the email provider it used, the fake Microsoft Teams link, and the goal of stealing credentials and dropping malware — as highly reminiscent of the group known commonly as Charming Kitten. But the OnlyOffice bit, and all of the infrastructure that supported the attack, looked a lot more like TA455's doing. To make matters more confusing, they noted that among all of Iran's government-aligned threat actors, only MuddyWater has been known to utilize RMMs.Proofpoint came up with a few hypotheses regarding why UNK_SmudgedSerpent so stubbornly refuses to fit into one box. It could be, for example, that one or more cyber teams within Iran's government have dissolved, merged, or otherwise reorganized, and that members have carried over specialties with them. Related:What Makes Ransomware Groups Successful?Another explanation is there might be some centralized entity that helps multiple groups with their infrastructure or malware. Or, perhaps, there is an element of collaboration or exchange between the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence Services (MOIS) — the two agencies that house the government's cyber threat actors.There are more possibilities still. Many of Iran's state hackers are trained in the same place, so it could be that outwardly different groups employ members with similar, fluid skill sets. Saher Naumaan, senior threat researcher at Proofpoint, says that "while facilitating organizations or contractors in Iran are often agency-specific, there are examples of academies or training organizations that serve both the IRGC and MOIS, meaning skills or techniques could be not only shared across teams but also across agencies."For Naumaan, knowing exactly who's behind attacks like these isn't just academically interesting. It's central to an intelligence-driven approach to security and, less obviously, "attribution is relevant in a business sense for leaders and directors of organizations to justify the financial and resourcing investment into cybersecurity and threat intelligence. For a given company with a particular threat model, attackers will have targeted similar organizations in that sector or geography before and are likely to again, which provides evidence for the realistic threat the organization faces, what a potential compromise might look like, and actionable steps to prevent one."She admits that "the impact [of attribution] is definitely difficult to quantify, but it's hard to defend against a threat you don't understand."Nate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.