Fast Facts

• ‘SmudgedSerpent’ is a new cyber threat group targeting U.S. academics and policy experts on Iran.
• Attacks coincided with Iran–Israel tensions in mid-2025.
• Hackers used fake emails, posing as think tank figures, to lure victims into credential theft.
• Techniques mimic those of known Iranian state-backed groups like Charming Kitten and MuddyWater.
• Malware disguised as Microsoft Teams or OnlyOffice was used to gain remote access to victims’ computers.

The Coiling Threat: How SmudgedSerpent Struck

In the summer of 2025, as tensions between Iran and Israel simmered and headlines warned of conflict, a quieter battle raged in the inboxes of America’s foreign policy elite. A new hacking group, dubbed ‘SmudgedSerpent,’ emerged from the digital underbrush, weaving together classic tricks and fresh deceptions to ensnare experts focused on Iran - right when their insights mattered most.

The operation, uncovered by security researchers at Proofpoint, targeted more than 20 U.S.-based academics and policy specialists. The hackers’ lures were as subtle as a snake’s flickering tongue: emails referencing pressing Iranian issues, invitations to collaborate on timely research, and even impersonations of respected think-tank figures from the Brookings Institution and Washington Institute. The goal was clear - to steal credentials and gain a foothold inside the minds shaping U.S. policy.

Old Tricks, New Disguises

SmudgedSerpent’s methods echo those of infamous Iranian groups like Charming Kitten (TA453) and MuddyWater (TA450), who for years have hunted Western analysts. First, the hackers built trust through innocuous conversations, only to spring their trap: links to fake login pages or “documents” for upcoming meetings. Victims who clicked found themselves on carefully crafted impostor sites - masquerading as Microsoft Teams or OnlyOffice - designed to harvest their Microsoft account passwords.

In a twist, the attackers sometimes dropped the pretense of password protection if they sensed suspicion, redirecting targets straight to another phony login page. The payload? Malicious installers disguised as common business tools, which quietly deployed legitimate remote monitoring software like PDQ Connect or ISL Online. This allowed the hackers to potentially watch, record, or control the victim’s computer - like a burglar using a janitor’s keys rather than smashing a window.

The Bigger Picture: Espionage in a Time of Crisis

Experts see SmudgedSerpent’s campaign as part of a broader evolution in Iranian cyber operations. While the technical fingerprints echo past attacks, the timing and targets point to a strategic shift: collecting intelligence on Western policy, academic research, and technology at a moment of geopolitical tension. The group’s use of health-themed website domains and OnlyOffice hosting also hints at collaboration between different arms of Iran’s intelligence ecosystem.

Phishing campaigns like this have become a favored tool of nation-states, from Russia’s infamous Fancy Bear to North Korea’s Lazarus Group. But SmudgedSerpent’s blend of patience, impersonation, and technical sleight-of-hand signals a new sophistication - and a warning to those in the crosshairs of global power struggles.

WIKICROOK

• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Remote Monitoring and Management (RMM) Software: Remote Monitoring and Management (RMM) software lets IT staff remotely access, maintain, and support computers and networks for efficient upkeep.
• Credential Harvesting: Credential harvesting is the theft of login details, such as usernames and passwords, often through fake websites or deceptive emails.
• MSI Installer: An MSI Installer is a Windows file format used to install, update, or remove software. It can also be exploited to distribute malicious programs.
• Impersonation Attack: An impersonation attack is when a cybercriminal poses as a trusted person or brand to trick victims and gain access to sensitive information.