According to Dark Reading, between June and August 2025, Iranian state hackers carried out highly targeted phishing attacks against prominent US think tanks and policy experts. The group, temporarily named “UNK_SmudgedSerpent” by Proofpoint, specifically targeted 20 members of a US think tank by impersonating Suzanne Maloney, vice president of Brookings Institution’s Foreign Policy program. The attackers used slightly misspelled Gmail accounts and meticulously designed email signatures to appear legitimate, offering fake collaboration opportunities. In later attacks, they also spoofed economist Patrick Clawson using lures directly referencing Iranian geopolitical affairs. The campaign involved sending malicious links disguised as OnlyOffice or Microsoft Teams invitations that redirected to credential harvesting pages. When victims grew suspicious, the hackers deployed remote monitoring and management software in what researchers called an unusual “double dipping” approach.
Sponsored content — provided for informational and promotional purposes.
Who’s really behind these attacks?
Here’s where things get really interesting. UNK_SmudgedSerpent doesn’t neatly fit into any known Iranian threat actor category. Their targeting and phishing style look exactly like TA453 (Charming Kitten), but their infrastructure matches TA455 (Smoke Sandstorm). And the RMM software deployment? That’s supposedly MuddyWater’s signature move. So we’ve got this weird hybrid threat actor that seems to borrow from everyone’s playbook.
Proofpoint researchers have a few theories about why this group looks like three different teams rolled into one. Maybe there’s been some reorganization within Iran’s cyber units, with members carrying their specialties to new groups. Or there could be centralized support helping multiple teams with infrastructure. The most intriguing possibility? Actual collaboration between the Islamic Revolutionary Guard Corps and Ministry of Intelligence Services, which normally operate separately.
Why knowing who matters
You might wonder why we should care about exactly which Iranian group is behind these attacks. Saher Naumann from Proofpoint makes a compelling case that attribution isn’t just academic. For security leaders trying to justify cybersecurity budgets, knowing who’s targeting your sector provides concrete evidence of realistic threats. If Iranian hackers have hit similar organizations before, they’ll probably try again. Understanding their specific methods helps you defend against what’s actually coming rather than theoretical threats.
Basically, it’s hard to defend against a threat you don’t understand. When you know whether you’re dealing with Charming Kitten’s social engineering expertise or MuddyWater’s technical capabilities, you can allocate resources more effectively. The problem is that UNK_SmudgedSerpent looks like all of them at once, which makes defense planning particularly challenging.
The bigger picture here
These attacks reveal something important about Iran’s cyber capabilities. They’re not just spraying phishing emails everywhere and hoping something sticks. They’re doing their homework – researching specific individuals like Suzanne Maloney who describes herself as an “Iran junkie” and building convincing impersonations around them. That level of targeting suggests sophisticated intelligence gathering before the technical attack even begins.
And the fact that they’re hitting think tanks tells us something about their priorities. They’re not after financial gain or disruptive attacks – they want strategic intelligence about US policy thinking. When you combine that with the mixed TTPs from multiple known groups, it paints a picture of an evolving, adaptable threat landscape where the old categories might not hold up much longer.
