Proofpoint identified a previously unseen threat cluster codenamed UNK_SmudgedSerpent that it attributes to cyber attacks against academics and foreign policy experts between June and August 2025, a period of heightened tensions between Iran and Israel. Proofpoint security researcher Saher Naumaan said this in a report.
The company said the operation employed domestic political lures, including themes about societal change in Iran and investigations into the militarization of the Islamic Revolutionary Guard Corps (IRGC). Proofpoint added the campaign shares tactical similarities with prior attacks attributed to Iranian cyber espionage groups identified in earlier reporting.
Email messages in the campaign displayed characteristics associated with Charming Kitten-style operations, engaging targets in apparently benign conversation before attempting to harvest credentials. Some messages contained links to MSI installers that posed as Microsoft Teams but deployed legitimate remote monitoring and management (RMM) software such as PDQ Connect, a tactic previously observed in MuddyWater activity, the company said.
Targets included over 20 subject-matter experts at a U.S.-based think tank focused on Iran policy. In at least one instance the actor pushed to verify the recipient’s identity and email address before sending a link to documents; that link led to a fabricated landing page designed to harvest Microsoft account credentials. In another variant the URL mimicked a Microsoft Teams login with a “Join now” button, though follow-on stages in that flow remain unclear.
Proofpoint reported that after a target expressed suspicion the adversary removed a password requirement on the credential-harvesting page and redirected to a spoofed OnlyOffice login hosted on “thebesthomehealth[.]com.” The counterfeit OnlyOffice site contained a ZIP archive with an MSI that launched PDQ Connect; other documents were assessed as decoys. There is evidence the operator performed hands-on-keyboard activity to install an additional RMM tool, ISL Online, through PDQ Connect, but the reason for deploying two distinct RMM programs was not determined. Naumaan said the use of OnlyOffice URLs and health-themed domains is reminiscent of activity linked to TA455.
Proofpoint said the campaigns align with Iranian intelligence collection priorities, focusing on Western policy analysis, academic research and strategic technology, and suggested the operation indicates evolving cooperation between Iranian intelligence entities and cyber units.