Iran-linked cyber spies blend tactics to target US policy experts
A new cyber-espionage operation targeting US-based Iran analysts has emerged, employing blended tactics from some of Tehran's most well-known hacking groups.
Researchers say this approach points to increasing collaboration and mobility among Iran-linked cyber operators, potentially indicating a new phase in the country's digital intelligence efforts.
Unusual campaign
The group behind this activity, which has been given the temporary label "UNK_SmudgedSerpent," conducted a series of phishing campaigns between June and August 2025.
These campaigns were notable for impersonating prominent foreign policy experts. Among those impersonated were Suzanne Maloney of the Brookings Institution and Patrick Clawson of the Washington Institute.
These phishing attempts were crafted to target fellow analysts, particularly those focused on Iran's internal politics and the Iranian Revolutionary Guard Corps (IRGC). The approach involved delivering emails that appeared to originate from trusted sources within the policy and academic community.
Blended techniques
Proofpoint's researchers observed that this operation merged tactics, techniques, and procedures from three prominent Iranian cyber-espionage units: TA453, also known as Charming Kitten; TA455, also known as Smoke Sandstorm; and TA450, known as MuddyWater. Researchers noted an overlap in methods, but no single group could definitively be credited with the campaign. This overlap suggests a level of resource and knowledge sharing not previously seen between these entities.
The attacks relied on a mix of social engineering, credential theft aimed at Microsoft 365 accounts, and deployment of remote monitoring software typically seen in cybercrime rather than state-linked espionage. This hybrid approach marks a noticeable shift in tradecraft among Iran-related threat activity, combining traditional espionage with techniques more common in the criminal underworld.
Targeted expertise
The campaign's targets were chosen for their expertise on Iranian affairs and their roles analysing the IRGC and domestic Iranian political developments. This closely reflects the ongoing intelligence collection priorities attributed to Iran's Ministry of Intelligence and Security (MOIS) and the IRGC.
Proofpoint's investigation found that targeted individuals were lured with topics relevant to ongoing events in Iran. While the campaign coincided with a period of increased tension between Iran and Israel, researchers stressed there was no clear evidence directly linking attacks to kinetic events or singular geopolitical incidents.
Attribution questions
The emergence of UNK_SmudgedSerpent has raised questions about how Iranian cyber units are organised and whether traditional categorisations of these groups remain accurate. The observed activity suggests coordination, shared personnel or even central direction between cyber and intelligence agencies.
Despite extensive overlaps with previously identified groups, researchers have not attributed the campaign to any one of them with high confidence.
The ongoing evolution in tactics may indicate a deliberate attempt to complicate attribution and analysis of Iranian cyber operations. The new operation builds on well-established infrastructure and methods but introduces enough changes to make direct identification more difficult.
"The abundance of links prevents high confidence attribution to any one of these groups," said Proofpoint researchers.
Continued threat
No further phishing activity linked to UNK_SmudgedSerpent has been observed since August 2025, though researchers believe related campaigns are likely ongoing. The appearance of a new actor using familiar techniques has prompted speculation about personnel shifts or exchanges between teams, though consistent targeting priorities have been maintained.
"The targeting of Iran foreign policy experts continues to reflect the Iranian government's intelligence collection priorities," said Proofpoint researchers.
