According to Infosecurity Magazine, a previously unknown cyber actor called UNK_SmudgedSerpent targeted academics and foreign policy experts between June and August 2025. The group focused specifically on individuals studying Iran and global political developments, starting with seemingly harmless conversations before escalating to credential theft and malware delivery. Proofpoint researchers observed the campaign beginning in June with emails discussing economic strains in Iran sent to more than 20 US think tank experts. Attackers impersonated Brookings Institution vice president Suzanne Maloney using a slightly misspelled Gmail account, then later spoofed policy expert Patrick Clawson while targeting an academic believed to be Israeli. The group used OnlyOffice-styled links that ultimately led to health-themed domains collecting credentials and delivering ZIP files containing MSI installers for remote monitoring tools.
Sponsored content — provided for informational and promotional purposes.
The Attribution Puzzle
Here’s where things get really interesting. UNK_SmudgedSerpent doesn’t cleanly match any single known Iranian threat group. Proofpoint says they share traits with TA453, TA455, and TA450, but the overlaps aren’t strong enough for definitive attribution. The group used a weird combination of tools too – PDQConnect and later ISL Online, which researchers found unusual for nation-state operations. Basically, they’re borrowing techniques from multiple playbooks but creating their own unique signature.
What This Actually Means
So what’s really going on here? Proofpoint suggests this could indicate personnel movement between Iranian contracting outfits or shared infrastructure procurement. The timing aligned with heightened Iran-Israel tensions, but researchers found no direct connection to those events. And that’s the scary part – this appears to be business as usual for Iranian intelligence collection, not some special operation. The targeting of Iran foreign policy experts continues to reflect the government’s ongoing intelligence priorities. But the blending of lure styles, infrastructure, and malware across known clusters makes attribution incredibly difficult.
The Campaign Isn’t Over
Just because UNK_SmudgedSerpent stopped appearing in email telemetry in early August doesn’t mean they’re gone. Infrastructure tied to the group later surfaced hosting TA455-linked malware, indicating continued overlap and the possibility of ongoing operations. This pattern of infrastructure reuse and technique blending suggests we’re seeing evolution in how these groups operate. They’re learning, adapting, and making attribution harder than ever. You can read more about Proofpoint’s full analysis for the technical details, but the bottom line is clear: academic and policy experts remain high-value targets for sophisticated espionage campaigns.
