Threats Feed

Proofpoint uncovered a new Iranian-linked activity cluster, UNK_SmudgedSerpent, which overlaps with known groups TA453 (Charming Kitten), TA455 (Smoke Sandstorm), and TA450 (MuddyWater). Active between June and August 2025, the group targeted US-based think tank and academic experts on Iranian affairs using phishing campaigns that impersonated Brookings and Washington Institute figures. The attacks began with benign email exchanges before transitioning to credential harvesting and the deployment of remote monitoring and management (RMM) tools such as PDQConnect and ISL Online. The campaign’s infrastructure and TTPs reflect Iran’s broader intelligence-collection goals and the growing overlap between its contractor-operated cyber units.

Group-IB uncovered a global phishing campaign by the Iran-linked APT MuddyWater, targeting international and humanitarian organizations across the Middle East, Europe, Africa, and North America. The group used a compromised mailbox accessed via NordVPN to send phishing emails with malicious Word documents containing VBA macros that deployed the Phoenix backdoor v4 through the FakeUpdate injector. The malware achieved persistence via Winlogon registry keys and COM hijacking, while a custom browser credential stealer and RMM tools (PDQ, Action1) facilitated remote access and credential harvesting. The campaign reflects MuddyWater’s evolving espionage capabilities and integration of custom and legitimate tools for stealth operations.

Nimbus Manticore, an Iranian threat actor overlapping with UNC1549 and Smoke Sandstorm, has intensified its espionage operations against defense manufacturing, telecommunications, and aviation sectors in Western Europe, notably Denmark, Sweden, and Portugal. The group uses spear-phishing lures posing as HR recruiters to deliver multi-stage DLL side-loading malware via fake career portals. Its evolving toolset—MiniJunk backdoor and MiniBrowse stealer—employs advanced obfuscation, code signing, and cloud-based C2 infrastructure on Azure and Cloudflare to evade detection. The campaign reflects a highly sophisticated, well-resourced actor aligned with IRGC intelligence objectives.

Subtle Snail operators deploy the MINIBIKE backdoor via DLL sideloading to gain persistent, high-privilege access. The malware stages in Public Users Documents using CopyFile2 and BITS, enforces single-instance execution with a UUID mutex, and builds a unique USERID from username, hostname, and DLL timestamp for HTTP POST C2 over WinHTTP. Modular components include an LCG-obfuscated keylogger that writes encrypted extended0.log files, a browser stealer that uses a Chrome-App-Bound decryption tool with process hollowing, and a CredUI-based Outlook/Winlogon prompt that saves stolen credentials. Operators use Azure-proxied domains for C2, automated chunked exfiltration, WinRAR archiving, and anti-analysis techniques including control flow flattening and dynamic API resolution. Targeted sectors include telecommunications organizations.