Inside “SmudgedSerpent”: Unmasking a New Iranian Espionage Operation Targeting Global Policy Experts

In a revealing new report, cybersecurity researchers at Proofpoint have uncovered a sophisticated espionage campaign attributed to a previously unidentified Iranian-aligned threat actor known as UNK_SmudgedSerpent. Between June and August 2025, this group launched targeted phishing operations aimed at academics and foreign policy experts, particularly those focused on Iranian affairs.

UNK_SmudgedSerpent’s campaigns followed a now-familiar yet increasingly refined playbook: social engineering, impersonation of trusted experts, and weaponized communication threads. Using fake Gmail and Outlook accounts spoofing credible figures from institutions like the Brookings Institution and the Washington Institute, attackers initiated friendly, legitimate-looking discussions before delivering malicious links.

The lures often revolved around topics such as Iranian political reform, the activities of the Islamic Revolutionary Guard Corps (IRGC), or regional geopolitical shifts issues designed to resonate with policy experts and researchers. Once engagement was established, the threat actor delivered URLs disguised as OnlyOffice or Microsoft Teams meeting invitations, leading to phishing pages crafted to harvest credentials or deploy remote monitoring tools.

Familiar Techniques, New Identity

Proofpoint’s analysis found strong overlaps between UNK_SmudgedSerpent and known Iranian groups, including TA453 (Charming Kitten / Mint Sandstorm), TA455 (Smoke Sandstorm), and TA450 (MuddyWater). Despite these similarities, researchers caution that the connections remain inconclusive.

The actor’s use of health-themed domains such as thebesthomehealth[.]com and mosaichealthsolutions[.]com—redirecting to counterfeit Microsoft 365 or OnlyOffice pages—mirrors the tactics of TA455. Meanwhile, the deployment of remote management tools (RMMs) like PDQConnect and ISL Online—a rarity among state-linked espionage groups—suggests influence or shared infrastructure with TA450.

The group’s name, “SmudgedSerpent,” reflects this blend of blurred attribution and evolving tactics—a serpent slithering between known threat ecosystems.

Espionage by Deception

The attackers’ social engineering tactics were polished. In one case, they impersonated Dr. Suzanne Maloney, a Brookings Institution executive, using a Gmail variant of her name. After an initial exchange, they invited the target to a supposed meeting, sharing a malicious link disguised as an OnlyOffice file repository.

Another variant impersonated Patrick Clawson of the Washington Institute, reaching out to U.S. and Israeli academics under the pretext of discussing IRGC operations. Each interaction was meticulously crafted to appear credible, using real experts’ research topics and correct institutional references to disarm suspicion.

The Bigger Picture: Iran’s Cyber Intelligence Apparatus

Iran’s state-linked cyber ecosystem has long been characterized by fluid boundaries, shared infrastructure, and overlapping personnel. Proofpoint researchers hypothesize that SmudgedSerpent could be the result of:

• Centralized procurement of tools and domains shared among multiple threat groups;
• Personnel mobility, where operators move between units;
• Or cross-agency collaboration between Iran’s Ministry of Intelligence and Security (MOIS) and the IRGC’s cyber directorate.

Regardless of its exact origin, the emergence of UNK_SmudgedSerpent underscores the persistence of Iranian cyber operations targeting academic, governmental, and geopolitical circles—especially those focused on Middle Eastern security dynamics.

Why It Matters

For organizations across the Middle East and Africa (MEA), this campaign is a sharp reminder of how espionage and influence operations increasingly exploit human trust rather than just technological flaws. Think tanks, policy institutions, and media outlets—often overlooked in traditional cybersecurity models—are now prime targets for sophisticated phishing and intelligence-gathering efforts.

10 Recommended Actions for Security Teams

1. Implement strict email verification (SPF, DKIM, DMARC) to detect impersonation attempts.
2. Educate employees through cybersecurity awareness training about socially engineered lures.
3. Enforce multi-factor authentication (MFA) on all accounts, especially for email and document platforms.
4. Monitor access logs for suspicious sign-ins from unknown IPs or geographies.
5. Restrict the use of third-party RMM tools and monitor their deployment.
6. Update indicators of compromise (IoCs) from Proofpoint’s advisory.
7. Use phishing simulation campaigns to test resilience among researchers and executives.
8. Implement Zero Trust principles with resources from Saintynet Cybersecurity.
9. Establish clear incident response workflows for suspected credential theft.
10. Regularly patch and audit all collaboration tools such as OnlyOffice, Teams, and Zoom.

Conclusion

The SmudgedSerpent campaign serves as a stark reminder that espionage in the digital era doesn’t always begin with malware it begins with a conversation. As threat actors evolve, their ability to impersonate, manipulate, and embed within legitimate professional exchanges continues to blur the line between social engineering and cyberwarfare.

For policy researchers, academics, and cybersecurity teams, vigilance is no longer optional it’s operational necessity.

According to Proofpoint’s analysis, SmudgedSerpent may not be the last of its kind, but it’s a clear signal that cyber intelligence operations are becoming increasingly human-focused—and that awareness is the new front line of defense.