Mysterious 'smudgedserpent' Hackers Target U.s. Policy Experts Amid...

A never-before-seen threat activity cluster codenamed UNK_SmudgedSerpent has been attributed as behind a set of cyber attacks targeting academics and foreign policy experts between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel.

"UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the militarization of the Islamic Revolutionary Guard Corps (IRGC)," Proofpoint security researcher Saher Naumaan said in a new report shared with The Hacker News.

The enterprise security company said the campaign shares tactical similarities with that of prior attacks mounted by Iranian cyber espionage groups like TA455 (aka Smoke Sandstorm or UNC1549), TA453 (aka Charming Kitten or Mint Sandstorm), and TA450 (aka Mango Sandstorm or MuddyWater).

The email messages bear all hallmarks of a classic Charming Kitten attack, with the threat actors reeling in prospective targets by engaging with them in benign conversations before attempting to phish for their credentials.

In some cases, the emails have been found to contain malicious URLs to trick victims into downloading an MSI installer that, while masquerading as Microsoft Teams, ultimately deploys legitimate Remote Monitoring and Management (RMM) software like PDQ Connect, a tactic often embraced by MuddyWater.

Proofpoint said the digital missives have also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute to lend them a veneer of legitimacy and increase the likelihood of success of the attack.

Targets of these efforts are over 20 subject matter experts of a U.S.-based think tank who focus on Iran-related policy matters. In at least one case, the threat actor, upon receiving a response, is said to have insisted on verifying the identity of the target and the authenticity of the email address before proceeding further for any collaboration.

"I am reaching out to confirm whether a recent email expressing interest in our institute's research project was indeed sent by you," read the email. "The message was received from an address that does not appear to be your primary email, and I wanted to ensure the authenticity before proceeding further."

Subsequently, the attackers sent a link to certain documents that they claimed would be discussed in an upcoming meeting. Clicking the link, however, takes the victim to a bogus landing page that's de

Source: The Hacker News