Ddos 
Researchers at Proofpoint Threat Research have identified a previously unknown cyber-espionage group, dubbed UNK_SmudgedSerpent, which has been conducting targeted phishing operations against academics and foreign policy experts since mid-2025. The group’s tactics, techniques, and procedures (TTPs) show a convergence of methods used by known Iranian APT groups, but analysts say the overlaps are too complex for definitive attribution.
The campaigns leveraged domestic political lures related to societal change in Iran and investigations into the militarization of the IRGC (Islamic Revolutionary Guard Corps).
Proofpoint first observed the actor in June 2025 after detecting benign-looking emails discussing economic instability and political unrest in Iran. While the activity occurred amid heightened tensions between Iran and Israel, researchers found “no indication that the observed activity was directly correlated with Israel’s attacks on Iranian nuclear facilities or Iran’s actions in response.”
The group’s phishing campaigns began innocuously, often starting with legitimate academic or policy discussions before transitioning into credential harvesting attempts. Once the attacker gained engagement from the target, they would deliver URLs spoofing OnlyOffice or Microsoft 365 login pages, disguised as invitations to review documents or join meetings.
One campaign spoofed Suzanne Maloney, vice president of the Brookings Institution, using a fake Gmail account (“Suzzane Maloney”) to reach over 20 U.S.-based think tank members. Proofpoint noted that while this impersonation technique resembled that of the TA453 (Charming Kitten) group, its broad targeting approach deviated from TA453’s usual highly selective operations.
Following initial contact, the attacker sent a link that appeared to belong to an OnlyOffice domain but in reality redirected to a health-themed attacker domain — thebesthomehealth[.]com — which in turn forwarded to another site, mosaichealthsolutions[.]com, that hosted a fake Microsoft 365 login page.
“The URL hosted a customized credential harvesting page with the user’s information pre-loaded.”
This deception combined multiple layers of social engineering: leveraging legitimate document-sharing platforms, mimicking medical organizations for domain registration, and using pre-filled credential prompts to enhance authenticity.
Another version of this attack was uploaded to VirusTotal, where the domain mimicked a Microsoft Teams meeting invitation. Clicking “Join Now” redirected users to the same credential-harvesting infrastructure.
Once credentials were harvested or the victim downloaded the malicious archive, the attackers deployed Remote Monitoring and Management (RMM) tools to maintain persistence and remote access.
“Upon execution, UNK_SmudgedSerpent’s ZIP archive loaded an MSI file, which launched the PDQConnect Remote Monitoring & Management (RMM) software.”
Researchers also observed the attackers installing ISL Online, another commercial RMM tool, likely as a backup or “throwaway” option when initial credential theft failed. Proofpoint noted, “While the use of RMMs is a generic technique abusing legitimate tools, it is rare to see them associated with state-sponsored actors.”
This overlap in tooling and tactics is significant because TA450 (MuddyWater) has previously been documented using RMM utilities for espionage and lateral movement. This further complicates attribution, as Proofpoint explains:
“The reason for the attackers’ sequential deployment of two distinct RMM tools remains unclear… neither hypothesis can be confirmed at the time of writing.”
Proofpoint’s analysis of the UNK_SmudgedSerpent infrastructure revealed domains that shared server configurations with TA455 (C5 Agent, Smoke Sandstorm) operations, including the fake Teams portal domain ebixcareers[.]com and health-related sites used in earlier campaigns.
“Investigating suspected UNK_SmudgedSerpent infrastructure, such as healthcrescent[.]com, surfaced additional activity that further complicates UNK_SmudgedSerpent’s relationship and overlaps with TA455.”
Malware hosted on related URLs included both benign decoys (such as Boeing recruitment PDFs) and TA455-linked backdoors like MiniJunk, a derivative of previously reported malware families MiniBike and MiniBus. These overlaps suggest shared infrastructure or contractor cross-pollination within Iran’s cyber ecosystem.
Proofpoint summarized the confusion succinctly:
“While the infrastructure likely aligns with UNK_SmudgedSerpent, it remains unclear why it is simultaneously hosting TA455 custom malware.”
While Proofpoint has not definitively attributed UNK_SmudgedSerpent to a known Iranian APT, analysts highlighted multiple possible explanations for the overlapping TTPs — including shared resources, merged teams, or cross-agency collaboration between Iran’s IRGC and MOIS.
Related Posts:
- Russian Hackers Exploit Microsoft Device Code Authentication in Targeted Attacks Against M365 Accounts
- North Korean Hackers Target South Korean Academics with New Chrome Extension Spyware
- RMM Tools: The New Weapon of Choice for Cybercriminals
- A report says Iran may launch cyber attacks against sanctions
- Microsoft Streamlines Nonprofit Offerings, Limits Free M365 & Office 365 E1 Licenses
Donate