UNK_SmudgedSerpent

UNK_SmudgedSerpent is a previously unidentified, Iran-linked threat activity cluster tracked by Proofpoint between June and August 2025. Proofpoint described it as a new Iranian APT/threat cluster but did not make a high-confidence attribution to a specific known group, instead noting overlapping tactics, techniques, procedures, and infrastructure with multiple Iranian state-aligned actors. Reported overlaps include TA453 (Charming Kitten, Mint Sandstorm), TA455 (Smoke Sandstorm, UNC1549, C5 Agent), and TA450 (MuddyWater, Mango Sandstorm). Proofpoint proposed possible explanations for the mixed signals including shared procurement or infrastructure, contractor or personnel overlap, training commonalities, reorganization, or collaboration between Iranian entities including the IRGC and MOIS. The cluster targeted U.S.-based academics, think-tank personnel, and foreign policy experts, especially individuals focused on Iran, the Middle East, the IRGC, and related policy issues. Campaigns used patient, human-centered social engineering, often beginning with benign email exchanges before progressing to phishing. The actor impersonated prominent U.S. foreign policy figures and institutions, including personas associated with the Brookings Institution and the Washington Institute, and in one campaign contacted more than 20 members of a U.S.-based think tank. Observed lures referenced domestic political unrest and societal reform in Iran, investigations into IRGC militarization, and Iran’s role in Latin America. The actor used collaboration-themed pretexts, spoofed OnlyOffice and Microsoft Teams or Microsoft 365 login experiences, and attacker-controlled health-themed domains such as thebesthomehealth[.]com and mosaichealthsolutions[.]com. Credential-harvesting pages were customized with victim information and, in some cases, employer branding. When credential theft appeared to fail or targets became suspicious, the actor continued engagement in the same thread and pivoted to malware delivery. In the malware-delivery phase, victims were directed to archives or MSI installers disguised as meeting or collaboration materials, including fake Microsoft Teams content. These installers deployed legitimate remote monitoring and management tools, notably PDQ Connect, and Proofpoint observed suspected hands-on-keyboard activity in which PDQ Connect was used to install a second RMM tool, ISL Online. Proofpoint noted that abuse of RMM tooling is generic but relatively uncommon among state-sponsored actors, while also documenting overlap with TA450 tradecraft. Related infrastructure analysis also identified OnlyOffice-hosted content and a TA455 custom backdoor lineage, including MiniJunk and MiniBike, on associated infrastructure, further complicating attribution. Proofpoint reported the activity as topical and sporadic, shifting from a broader initial target set to more isolated later targeting, and observed no further email campaign activity after early August 2025.