The campaigns rely on social engineering with domestic political themes about Iran and IRGC militarization, including impersonation of U.S. think tank figures to gain trust and credentials.

They employ spoofed collaboration tools and legitimate remote monitoring software to infiltrate targets, focusing on Iranian domestic and geopolitical issues.

Infrastructure includes OnlyOffice-hosted ZIP archives delivering an MSI installer, followed by hands-on-keyboard actions to deploy additional RMM tools such as ISL Online via PDQ Connect.

Targets encounter authentication page spoofing and receive MSI-hosted payloads that load PDQ Connect, with ISL Online used for redundancy or contingency after initial attempts.

Attack infrastructure features domains like healthcrescent[.]com and ebixcareers[.]com hosting fake recruitment portals that distribute TA455 malware such as MiniJunk and other payloads like Interview time.msi.

Malicious activity culminates in using PDQ Connect and ISL Online to gain hands-on keyboard access, enabling persistence and remote deployment across targets.

The convergence of infrastructure and malware suggests shared development resources or overlapping contractors within Iran’s cyber ecosystem, hinting at centralized procurement, personnel rotation, or parallel contracting between IRGC and MOIS.

The infection chain starts with benign email conversations and credential verification requests, then links masquerading as OnlyOffice redirect to health-themed attacker domains hosting credential harvesting pages.

A new Iran-linked threat cluster named UNK_SmudgedSerpent conducted espionage-focused phishing against academics and foreign policy experts from June to August 2025.

No further UNK_SmudgedSerpent activity has been detected since August 2025, though researchers believe related operations continue, indicating evolving sophistication and persistence targeting Iran policy experts.

Despite no new campaigns post-August 2025, UNK_SmudgedSerpent remains tracked separately for its focus on academics and policy experts and its use of commercial software to evade detection.

Phishing emails contain malicious URLs leading to MSI installers masquerading as benign apps (e.g., Microsoft Teams) that deploy PDQ Connect, often followed by credential harvesting.

A coordinated Iranian-linked campaign uses credential harvesting, social engineering, and remote management tools to infiltrate targets, including impersonating a Brookings Institution official with a misspelled Gmail address and leveraging domestic political lures around Iran’s society and IRGC militarization.