A previously unidentified Iranian threat actor has emerged with sophisticated social engineering tactics aimed at academics and foreign policy experts across the United States.
Operating between June and August 2025, this campaign demonstrates the evolving landscape of state-sponsored cyber espionage, where attackers blend traditional phishing techniques with legitimate remote management tools to compromise high-value targets.
The operation, tracked as UNK_SmudgedSerpent, represents a concerning development in Iranian cyber operations, showcasing advanced technical capabilities and patient reconnaissance methods.
The threat actor initiated contact through seemingly benign emails discussing sensitive topics such as Iran’s economic crisis, societal reform, and IRGC militarization.
These carefully crafted messages impersonated prominent figures like Dr. Suzanne Maloney from the Brookings Institution and Patrick Clawson from the Washington Institute, using freemail accounts with slight misspellings to evade detection.
Targets received collaboration requests on research projects examining domestic Iranian political developments, designed to establish trust before transitioning to malicious activities.
Proofpoint security researchers identified UNK_SmudgedSerpent after investigating suspicious email activity targeting over 20 individuals at a US-based think tank.
The campaign revealed overlapping tactics with known Iranian groups including TA455, TA453, and TA450, creating attribution challenges.
Researchers noted the actor’s use of health-themed infrastructure domains such as thebesthomehealth[.]com and mosaichealthsolutions[.]com, along with OnlyOffice file-hosting platform spoofs to deliver malicious payloads.
These domains functioned as redirection points, masquerading as legitimate cloud collaboration services.
The infection chain began with credential harvesting attempts using customized Microsoft 365 login pages that pre-loaded victim information.
When initial phishing attempts failed, the attackers adapted their approach, removing password requirements and presenting spoofed OnlyOffice login portals.
Once targets accessed these fraudulent pages, they encountered document repositories hosting seemingly legitimate PDFs alongside malicious ZIP archives containing MSI files.
Dual RMM Deployment and Persistent Access
The technical execution revealed a sophisticated multi-stage approach centered on remote management and monitoring software abuse.
Upon downloading and executing the malicious MSI file from the compromised OnlyOffice spoof, victims unknowingly installed PDQConnect, a legitimate RMM tool commonly used for IT administration.
.webp "Iranian Hackers Targeting Academics and Foreign Policy Experts Using RMM Tools 3")
This initial deployment established baseline access to victim systems, allowing threat actors to conduct reconnaissance and assess target value.
Following the PDQConnect installation, researchers observed suspected hands-on-keyboard activity where attackers leveraged their initial access to deploy a secondary RMM solution called ISL Online.
This sequential deployment strategy remains partially understood, though analysts suggest it may serve as redundancy or specialized functionality for different operational phases.
The use of legitimate commercial RMM tools, rather than custom malware, provides operational security advantages by blending malicious traffic with normal IT management activities and evading signature-based detection systems.
.webp "Iranian Hackers Targeting Academics and Foreign Policy Experts Using RMM Tools 4")
The campaign’s infrastructure analysis revealed server configuration similarities between UNK_SmudgedSerpent domains and previously identified TA455 operations, particularly the career-themed domain ebixcareers[.]com displaying fake Teams portals.
Additional investigation uncovered files hosted on related infrastructure, including TA455’s custom backdoor MiniJunk and another MSI loader for PDQConnect, further complicating attribution.
Since early August 2025, no additional activity from this actor has been observed, though related infrastructure likely remains operational for future campaigns targeting Iranian foreign policy experts and academic institutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
