UNK_SmudgedSerpent: A New Iranian Espionage Cluster Targeting US Policy Experts
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Downloader,Dropper,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
Proofpoint uncovered a new Iranian-linked activity cluster, UNK_SmudgedSerpent, which overlaps with known groups TA453 (Charming Kitten), TA455 (Smoke Sandstorm), and TA450 (MuddyWater). Active between June and August 2025, the group targeted US-based think tank and academic experts on Iranian affairs using phishing campaigns that impersonated Brookings and Washington Institute figures. The attacks began with benign email exchanges before transitioning to credential harvesting and the deployment of remote monitoring and management (RMM) tools such as PDQConnect and ISL Online. The campaign’s infrastructure and TTPs reflect Iran’s broader intelligence-collection goals and the growing overlap between its contractor-operated cyber units.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Pro-Democracy | Verified |
| Sector | Researchers | Verified |
| Region | United States | Verified |
Extracted IOCs
- accountroyal[.]com
- airbusaerodefence[.]com
- airbusaerodefence[.]nl
- airbusgroup-careers[.]com
- airbushiring[.]com
- alwayslivehealthy[.]com
- anteromarketing[.]com
- asiandefenses[.]com
- bodywellnessbycynthia[.]com
- boeingspace[.]com
- careers2find[.]com
- careers-hub[.]org
- careers-portal[.]org
- careersworld[.]org
- chakracleansetherapy[.]com
- clearmindhealthandwellness[.]com
- collaboromarketing[.]com
- droneflywell[.]com
- dronetechasia[.]org
- easymarketing101[.]com
- ebixcareers[.]com
- ehealthpsuluth[.]com
- emiratescareers[.]org
- emiratesgroup-careers[.]com
- flydubai-careers[.]com
- germanywork[.]org
- global-careers[.]com
- gocareers[.]org
- healthcarefluent[.]com
- healthcrescent[.]com
- healthiestmama[.]com
- healthinfusiontherapy[.]com
- jadehealthcenter[.]com
- joinboeing[.]com
- kibanacore[.]com
- marketinglw[.]com
- mojavemassageandwellness[.]com
- mosaichealthsolutions[.]com
- msnapp[.]help
- msnapp[.]live
- msnclouds[.]com
- opportunities2get[.]com
- palaerospace[.]careers
- rhealthylivingsolutions[.]com
- rheinmetallcareer[.]com
- rheinmetallcareer[.]org
- rheinmetallcareers[.]com
- sulumorbusinessservices[.]com
- thebesthomehealth[.]com
- thecareershub[.]org
- uavnodes[.]com
- usa-careers[.]com
- virgomarketingsolutions[.]com
- worldcareers[.]org
- zytonhealth[.]com
- airbus-careers.onlyoffice[.]com
- airbus-survay.onlyoffice[.]com
- boeinginformation.onlyoffice[.]com
- malebachhew2506090936.onlyoffice[.]com
- randcorp.onlyoffice[.]com
- rheinmetallcareer.onlyoffice[.]com
- suzzanemaloney2506090953.onlyoffice[.]com
- patrickclawson51@gmail[.]com
- patrick.clawson51@outlook[.]com
- suzannemaloney68@gmail[.]com
- suzzanemaloney@gmail[.]com
- 0bdb64fc1d5533f7b3fffaf821e89f286ad2d7400a914f21abdcbb7bb8a39e63
- 0fcdaa2f4db94e0589617830d3d80430627815ef0e4b0c7b7ff5c1ebb82a4136
- 129a40e38ef075c7d33d8517b268eb023093c765a32e406b58f39fab6cc6a040
- 1e9c31ce0eba2100d416f5bc3b97dafe2da0d3d9aee96de59ec774365fe3fe89
- 6eb7df21d6f1e3546c252a112504eefbb19205167db89038f2861118bbc8871c
- 7b5fb8202bff90398ab007579713f66430778249e43b46f35df6c3ded628f129
- cac018dccdf6ce4bef19ab71e3e737724aed104bc824332a5213c878b065ff50
- hxxps://suzzanemaloney2506090953.onlyoffice[.]com/s.-k6vjflsdagdsfgh
Tip: 74 related IOCs (0 IP, 62 domain, 1 URL, 4 email, 7 file hash) to this threat have been found.
FAQs
Understanding the UNK_SmudgedSerpent Espionage Campaign
A newly identified threat actor, UNK_SmudgedSerpent, ran a phishing campaign targeting US-based experts working on Iran-related policy. The attackers used fake emails, credential-stealing pages, and remote-access software to gain access to targets’ accounts and systems.
The activity showed similarities to several Iranian state-aligned groups, but none matched strongly enough for a confident attribution. The overlaps likely result from shared contractors, shared infrastructure, or operator movement between teams inside Iran’s cyber ecosystem.
Their lures focused on Iran’s domestic politics and foreign relations, strongly indicating an intelligence-gathering mission. The aim was to access private communications and policy insights from individuals who study or influence Iran-related issues.
More than 20 members of a major US think tank were targeted, along with individual academics and policy specialists. The targets worked across a wide range of fields including national defense, technology, economic security, global health, and Middle East policy.
The attackers started with harmless-looking emails to build trust. They then sent links pretending to be OnlyOffice or Microsoft login pages. After attempting to steal usernames and passwords, they provided a malicious file that installed remote-access software on the victim’s device.
Experts who shape or analyze foreign policy are valuable to state actors seeking strategic insight. Iran-focused researchers, in particular, can provide information relevant to geopolitical events, sanctions, and international negotiations.
The first campaign targeted many people, but later attacks became more selective, focusing on single high-value individuals. The activity appears targeted rather than broad-based.