According to Infosecurity Magazine, cybersecurity researchers at Proofpoint have identified a previously unknown cyber actor called UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. The group specifically went after individuals focused on Iran and global political developments, starting with seemingly harmless conversations before escalating to credential theft and malware delivery. In June, they sent emails discussing economic strains and unrest in Iran to more than 20 think tank experts in the US, later spoofing Brookings Institution vice president Suzanne Maloney and policy expert Patrick Clawson. Attackers used OnlyOffice-styled links that led to health-themed domains collecting credentials, then delivered ZIP files containing MSI installers that loaded remote monitoring tools including PDQConnect and ISL Online. The activity stopped appearing in email telemetry in early August, but infrastructure tied to the group later surfaced hosting malware from another Iranian threat group.
Sponsored content — provided for informational and promotional purposes.
The attribution headache
Here’s what makes this group particularly interesting: they’re basically a mashup of multiple Iranian threat actors. Proofpoint says UNK_SmudgedSerpent shares traits with TA453, TA455 and TA450, but the overlaps aren’t strong enough for definitive attribution. That’s unusual in nation-state operations where groups typically have more distinct signatures. The blending of lure styles, infrastructure and malware across known clusters creates a real attribution nightmare. Researchers are floating theories about shared infrastructure procurement or personnel movement between Iranian contracting outfits. Basically, it seems like someone either jumped teams or there’s some kind of knowledge sharing happening between groups that weren’t previously connected.
Why their methods stand out
The sequence of tools they used really caught researchers’ attention. PDQConnect followed by ISL Online? That’s not your typical nation-state playbook. Most state-sponsored groups stick to more sophisticated or custom malware, not off-the-shelf remote monitoring tools that you’d expect from commercial MSPs. And their social engineering was surprisingly patient – starting with genuine-seeming policy discussions before gradually introducing malicious links. They even returned in August with lures tied to Iran’s activities in Latin America, showing they’re adapting their approach based on what works. The timing aligned with heightened Iran-Israel tensions, but Proofpoint found no direct connection to those events, which suggests this might be more about continuous intelligence gathering than reaction to specific geopolitical developments.
cybersecurity”>What this means for cybersecurity
This case shows how attribution is getting harder, not easier, in the cyber espionage world. When you’ve got groups borrowing techniques from each other and sharing infrastructure, it becomes nearly impossible to point fingers with confidence. And that’s probably intentional – creating plausible deniability while still advancing the same intelligence collection priorities. The fact that their infrastructure later hosted TA455-linked malware indicates these overlaps aren’t coincidental. For organizations monitoring industrial systems and critical infrastructure, this blending of tactics should be particularly concerning. When threat actors start crossing traditional boundaries between commercial and nation-state tools, everyone needs to up their detection game. Proofpoint’s detailed analysis provides more technical specifics about the infrastructure and malware involved.
