Elusive Iranian APT Phishes Influential US Policy Wonks TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Site Takeover Flaw Affects 400K WordPress SitesCritical Site Takeover Flaw Affects 400K WordPress SitesbyElizabeth Montalbano, Contributing WriterNov 5, 20253 Min ReadApplication SecurityRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolbyNate Nelson, Contributing WriterNov 5, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCyberattacks & Data BreachesThreat IntelligenceCyber RiskData PrivacyNewsElusive Iranian APT Phishes Influential US Policy WonksElusive Iranian APT Phishes Influential US Policy WonksElusive Iranian APT Phishes Influential US Policy WonksIran is spying on American foreign policy influencers. But exactly which of its government's APTs is responsible remains a mystery.Nate Nelson, Contributing WriterNovember 5, 20254 Min ReadSource: Christophe Coat via Alamy Stock PhotoIran has carried out highly targeted phishing attacks against prominent US think tanks this summer.Have you ever wondered what the people who don't like you are saying about you? In that way alone, perhaps, you're rather like the Islamic Republic of Iran. Between June and August 2025, the Iranian government spied on American academics and foreign policy experts, hoping to gather strategic intelligence (or maybe just a little gossip).It's not yet clear, though, exactly which threat actor did all of the snooping. Proofpoint has labeled the group "UNK_SmudgedSerpent" for now, as its tactics, techniques, and procedures (TTPs) overlap with most of Iran's major advanced persistent threats (APTs). The group went after the same targets as, and borrowed its approach to phishing from, TA453 (also known as Charming Kitten, Mint Sandstorm). On the other hand, it used infrastructure aligned with that of TA455 (Smoke Sandstorm). And it was the only Iranian threat actor known to deploy remote monitoring and management (RMM) software, besides TA450 (MuddyWater, Mango Sandstorm).Iran Spying on US Policy ExpertsSuzanne Maloney, vice president and director of the Foreign Policy program at the influential Brookings Institution, refers to herself as an "Iran junkie" in her X bio. UNK_SmudgedSerpent clearly did its homework to impersonate someone so central in US discourse around Iranian affairs.Related:Inside the Playbook of Ransomware's Most Profitable PlayersIn mid-June 2025, the group tried to impersonate Maloney using a slightly misspelled Gmail account and a diligently designed email signature. It sent emails to 20 other members of another US think tank, using the now-trite tactic of offering to collaborate on a project. In other later cases, the hackers spoofed economist and Middle East scholar Patrick Clawson, using lures much more directly referencing Iranian geopolitical affairs.If it engaged a target, UNK_SmudgedSerpent would first vet them, and then send a malicious URL masquerading as a link to the open source (OSS) productivity platform OnlyOffice, or Microsoft Teams. Through a suspicious redirect, the link landed on a Microsoft 365 credential phishing page, with the victim's email and their employer's logo preloaded for authenticity.In the attack chain Proofpoint observed, the victim expressed suspicion about the Microsoft portal, so UNK_SmudgedSerpent double dipped. It tried to get its victim to download decoy documents and a zip file, sold as being relevant to the fake collaboration initiative. The zip contained an installer for an RMM and, oddly, UNK_SmudgedSerpent then deployed a second RMM. The researchers had trouble explaining this bit. "It is possible UNK_SmudgedSerpent may have deployed RMM software as a throwaway option after the credential harvesting attempt didn’t succeed, and the threat actor became suspicious of Proofpoint’s investigation," the report stated.Related:Europe Sees Increase in Ransomware, Extortion AttacksThe strangest thing of all, though, was how oddly this whole picture looked against the backdrop of known Iranian threat activity. The researchers characterized stage one of the attack — the types of people UNK_SmudgedSerpent targeted, the tone of its phishing messages, the email provider it used, the fake Microsoft Teams link, and the goal of stealing credentials and dropping malware — as highly reminiscent of the group known commonly as Charming Kitten. But the OnlyOffice bit, and all of the infrastructure that supported the attack, looked a lot more like TA455's doing. To make matters more confusing, they noted that among all of Iran's government-aligned threat actors, only MuddyWater has been known to utilize RMMs.Who is UNK_SmudgedSerpent — and Does it Matter?Proofpoint came up with a few hypotheses regarding why UNK_SmudgedSerpent so stubbornly refuses to fit into one box. It could be, for example, that one or more cyber teams within Iran's government have dissolved, merged, or otherwise reorganized, and that members have carried over specialties with them. Related:SesameOp Backdoor Uses OpenAI API for Covert C2Another explanation is there might be some centralized entity that helps multiple groups with their infrastructure or malware. Or, perhaps, there is an element of collaboration or exchange between the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence Services (MOIS) — the two agencies that house the government's cyber threat actors.There are more possibilities still. Many of Iran's state hackers are trained in the same place, so it could be that outwardly different groups employ members with similar, fluid skill sets. Saher Naumaan, senior threat researcher at Proofpoint, says that "while facilitating organizations or contractors in Iran are often agency-specific, there are examples of academies or training organizations that serve both the IRGC and MOIS, meaning skills or techniques could be not only shared across teams but also across agencies."For Naumaan, knowing exactly who's behind attacks like these isn't just academically interesting. It's central to an intelligence-driven approach to security and, less obviously, "attribution is relevant in a business sense for leaders and directors of organizations to justify the financial and resourcing investment into cybersecurity and threat intelligence. For a given company with a particular threat model, attackers will have targeted similar organizations in that sector or geography before and are likely to again, which provides evidence for the realistic threat the organization faces, what a potential compromise might look like, and actionable steps to prevent one."She admits that "the impact [of attribution] is definitely difficult to quantify, but it's hard to defend against a threat you don't understand."About the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Iran is engaging in sophisticated espionage activities targeting influential US policy wonks, a tactic revealed by Proofpoint’s investigation into the “UNK_SmudgedSerpent” APT group. This group, operating since June 2025, has been conducting highly targeted phishing campaigns against prominent think tanks and academics, seeking strategic intelligence – or potentially, simply gathering information.

The operation, spearheaded by UNK_SmudgedSerpent, demonstrates a clear attempt to understand and potentially influence US foreign policy. The group’s methods mirror those of the known Charming Kitten (TA453) and Smoke Sandstorm (TA455) groups, borrowing techniques and infrastructure. A key element of the campaign included impersonating figures like Suzanne Maloney, Vice President and Director of the Foreign Policy program at the Brookings Institution, utilizing a misspelled email address and a meticulously crafted email signature. The group also attempted to leverage the credibility of Patrick Clawson, an economist and Middle East scholar.

A particularly concerning aspect of the attack chain was the deployment of remote monitoring and management (RMM) software, a practice previously associated only with MuddyWater (Mango Sandstorm), another Iranian threat actor. This unusual addition, coupled with the use of OnlyOffice and Microsoft Teams as lures, fueled Proofpoint's investigation into the group's operational structure.

The investigation highlighted a confusing complexity surrounding UNK_SmudgedSerpent’s origins. Proofpoint posited several theories, ranging from the dissolution or reorganization of Iranian cyber teams to the existence of a centralized entity facilitating collaboration between multiple groups. The potential involvement of the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence Services (MOIS) also factored into the analysis. Notably, the group's utilization of shared skills and training – potentially through common academies – suggested a fluidity of expertise among Iran’s state-backed hackers.

Senior threat researcher at Proofpoint, Saher Naumaan, stresses that attribution of these types of attacks isn’t merely an academic exercise. The ability to understand the actors behind these campaigns is crucial for a threat-informed security approach. “Attribution is relevant in a business sense for leaders and directors of organizations to justify the financial and resourcing investment into cybersecurity and threat intelligence. For a given company with a particular threat model, attackers will have targeted similar organizations in that sector or geography before and are likely to again, which provides evidence for the realistic threat the organization faces, what a potential compromise might look like, and actionable steps to prevent one.” Naumaan argues that accurately identifying threat actors allows organizations to better defend themselves and that understanding the "impact" of this knowledge can justify the investment in security measures. She indicated that “the impact [of attribution] is definitely difficult to quantify, but it’s hard to defend against a threat you don’t understand.”

Approximately 400,000 WordPress sites were affected by a critical site takeover flaw, further exposing vulnerabilities within the digital ecosystem. This underscores the broader risks posed by sophisticated cyber espionage operations.

About the Author
Nate Nelson, Contributing Writer
Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."