UNK_SmudgedSerpent is a newly identified cyber espionage cluster active during mid-2025, targeting U.S.-based academics and foreign policy experts specializing in Iran-related matters amid heightened Iran–Israel tensions. The group employs sophisticated social engineering tactics, including impersonation of well-known U.S. think tank figures and use of domestic political lures related to Iranian societal changes and IRGC militarization. Initial contact is made via phishing emails that engage targets in benign conversations to build trust before attempting credential theft. The attackers use malicious URLs leading to credential harvesting pages mimicking Microsoft account login portals and OnlyOffice document hosting platforms. These pages are hosted on domains with health-related themes, a tactic previously observed in Iranian-linked TA455 operations. The infection chain includes delivery of MSI installers disguised as Microsoft Teams clients, which deploy legitimate Remote Monitoring and Management (RMM) software such as PDQ Connect and ISL Online. This dual-RMM deployment suggests hands-on-keyboard activity for persistent access or further lateral movement. The campaign's targeting of over 20 U.S. think tank experts and use of tailored phishing content indicates a focused espionage effort aligned with Iranian intelligence priorities. The operation reflects an evolution in Iranian cyber espionage, combining traditional phishing with legitimate tool abuse to evade detection and maintain stealth. No known exploits or widespread infections have been reported, but the campaign's sophistication and strategic targeting pose significant risks to confidentiality and operational integrity of affected individuals and organizations.

For European organizations, especially those engaged in Middle East policy research, international relations, or academic collaboration with U.S. think tanks, this threat poses a significant risk to the confidentiality of sensitive information and intellectual property. Successful credential harvesting could lead to unauthorized access to email accounts, internal documents, and communication channels, potentially enabling espionage, data exfiltration, or further compromise. The use of legitimate RMM tools complicates detection and may facilitate persistent access or lateral movement within networks. Given the geopolitical context, compromised information could be used to influence policy decisions or diplomatic stances. Additionally, European entities collaborating on Iran-related research or hosting experts in this field might become secondary targets or collateral victims. The reputational damage and operational disruption from such espionage activities could be substantial, particularly for think tanks, universities, and governmental advisory bodies. The medium severity rating reflects the targeted nature and moderate ease of exploitation, but the potential impact on confidentiality and strategic information is high.

European organizations should implement multi-layered email security solutions capable of detecting sophisticated phishing and impersonation attempts, including domain-based message authentication, reporting, and conformance (DMARC). User awareness training must emphasize recognizing social engineering tactics that involve benign engagement before credential requests. Deploy conditional access policies and multi-factor authentication (MFA) for all critical systems, especially email and collaboration platforms, to reduce the risk of credential compromise. Monitor network traffic and endpoint activity for unusual use of legitimate RMM tools like PDQ Connect and ISL Online, including unexpected installations or connections to suspicious domains. Employ threat hunting to identify signs of hands-on-keyboard activity and lateral movement. Establish strict controls and logging around software installation privileges. Collaborate with intelligence-sharing groups to stay informed about emerging tactics linked to Iranian cyber espionage. For organizations involved in Iran-related research, consider isolating sensitive environments and limiting external collaboration channels. Regularly review and update incident response plans to address targeted espionage scenarios. Finally, verify the authenticity of unexpected collaboration requests or document sharing, especially those involving external parties.