Full Report
A never-before-seen threat activity cluster codenamed UNK_SmudgedSerpent has been attributed as behind a set of cyber attacks targeting academics and foreign policy experts between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel. "UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the
Analysis Summary
# Threat Actor: UNK_SmudgedSerpent
This analysis is based on an intelligence report describing a previously unseen cyber activity cluster emerging between June and August 2025.
## Attribution & Identity
* **Identification:** UNK_SmudgedSerpent (a never-before-seen threat activity cluster).
* **Associations:** Shares tactical similarities with known Iranian cyber espionage groups, specifically:
* TA455 (Smoke Sandstorm/UNC1549)
* TA453 (Mint Sandstorm/Charming Kitten)
* TA450 (MuddyWater/Mango Sandstorm)
## Activity Summary
* **Recent Campaigns/Operations:** Conducted cyber attacks between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel.
* **Themes:** Leveraged lures related to domestic political instability in Iran and investigations into the militarization of the Islamic Revolutionary Guard Corps (IRGC).
* **Engagement Tactics:** Engaged targets with benign conversations ("classic Charming Kitten attack") before attempting credential phishing. Involved attempts to verify the target's identity and email authenticity before proceeding with "collaboration."
## Tactics, Techniques & Procedures
* **Initial Access:** Spearphishing (email).
* **Lures:** Impersonated prominent U.S. foreign policy figures associated with think tanks (e.g., Brookings Institution, Washington Institute). Used domestic Iranian political lures.
* **Credential Harvesting:** Directed victims to bogus landing pages to harvest Microsoft account credentials. In one instance, removed the password requirement after the target expressed suspicion, leading them to a spoofed OnlyOffice login page hosted on **thebesthomehealth[.]com**.
* **Malware Deployment:** Delivered malicious link leading to an MSI installer disguised as Microsoft Teams. The MSI deployed legitimate Remote Monitoring and Management (RMM) software:
* PDQ Connect.
* **Post-Compromise:** Evidence suggests potential hands-on-keyboard activity to install a second RMM tool, **ISL Online**.
* **Infrastructure Usage:** Used domains reminiscent of TA455 activity (health-themed domains, OnlyOffice references).
## Targeting
* **Sectors:** Academics, Foreign Policy/Think Tanks.
* **Geography:** Targeting U.S.-based experts.
* **Victims:** Over 20 subject matter experts at a U.S.-based think tank focusing on Iran-related policy matters; a U.S.-based academic investigating the IRGC.
## Tools & Infrastructure
* **Malware Families Used:** Legitimate RMM software used for malicious purposes: PDQ Connect, ISL Online.
* **Infrastructure (C2, Domains, IPs):**
* Credential harvesting hosted on: **thebesthomehealth[.]com** (used for spoofed OnlyOffice login).
* Emails contained malicious URLs leading to an MSI installer.
## Implications
This cluster appears to be an Iranian state-sponsored cyber espionage effort, given the geopolitical timing and tactical overlap with established Iranian APTs (TA455, TA453, TA450). The focus on foreign policy experts and think tanks suggests intelligence gathering related to U.S. policy toward Iran/Israel. The use of legitimate RMM software indicates an intent for persistent, difficult-to-detect remote access post-compromise.
## Mitigations
* Heightened vigilance against spearphishing emails referencing recent geopolitical events or insider research topics related to Iran.
* Scrutinize emails claiming to be from prominent policy figures or institutes (Brookings, Washington Institute).
* Be wary of unexpected requests to click links to "join a meeting" or view documents, especially if they lead to external login pages for common productivity suites (Microsoft, OnlyOffice).
* Organizations should monitor for the deployment of legitimate RMM tools (PDQ Connect, ISL Online) outside of approved software inventories.
* Specific defense measures should incorporate TTPs noted from TA455 (monitoring for suspicious health/aerospace related domains used for C2 or hosting).