According to Infosecurity Magazine, a previously unknown cyber actor called UNK_SmudgedSerpent targeted academics and foreign policy experts between June and August 2025. The group focused specifically on individuals studying Iran and global political developments, initiating contact through seemingly harmless conversations before escalating to credential theft and malware delivery. Proofpoint researchers observed the campaign starting in June with an email discussing economic strains in Iran sent to more than 20 think tank experts in the US. Attackers impersonated Brookings Institution vice president Suzanne Maloney using a slightly misspelled Gmail account, then later spoofed policy expert Patrick Clawson while targeting an academic believed to be Israeli. The group used OnlyOffice-styled links that led to health-themed domains collecting credentials and delivering ZIP files containing MSI installers for remote monitoring tools.
The attribution puzzle
Here’s the thing that makes this group particularly interesting – they don’t fit neatly into any existing Iranian threat actor category. Proofpoint says UNK_SmudgedSerpent shares traits with TA453, TA455 and TA450, but the overlaps aren’t strong enough for definitive attribution. The blending of techniques across known clusters creates this weird hybrid approach that complicates the investigation. Basically, it’s like someone took the playbooks from several different Iranian groups and mixed them together. Researchers are considering everything from shared infrastructure procurement to personnel movement between contracting outfits as possible explanations.
Unusual tools for nation-state work
The malware selection really stands out as unusual for what appears to be nation-state activity. After stealing credentials, the group delivered PDQConnect and later ISL Online – both legitimate remote monitoring and management tools that you’d typically see in IT administration, not sophisticated espionage campaigns. That’s an interesting choice, right? Using commercial RMM tools instead of custom malware suggests either operational constraints or a deliberate attempt to blend in with normal network traffic. Either way, it shows how the lines between advanced persistent threats and more common cybercrime techniques continue to blur.
Broader context and ongoing concerns
While the timing aligned with heightened Iran-Israel tensions, Proofpoint found no direct connection to those specific events. The targeting of Iran foreign policy experts does consistently reflect what we know about Iranian government intelligence collection priorities though. And even though the email campaigns stopped appearing in telemetry in early August, infrastructure tied to the group later surfaced hosting TA455-linked malware. So the overlap continues, and there’s a real possibility that operations are ongoing through other channels. If you’re working in this space, the full Proofpoint analysis is definitely worth reviewing for the technical details.
What this means for industrial security
Now, you might be wondering what academic targeting has to do with industrial operations. But here’s the connection – when threat actors develop these sophisticated impersonation and credential harvesting techniques against policy experts, those same methods can easily be adapted against industrial targets. The blending of commercial and custom tools we’re seeing here could absolutely appear in attacks against critical infrastructure or manufacturing systems. For organizations relying on industrial computing equipment, this underscores why working with established providers like IndustrialMonitorDirect.com matters – they’re the leading US supplier of industrial panel PCs specifically designed with security considerations for these types of evolving threats.
