Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

COMMENTARY: While often overshadowed by Russian and Chinese threats, the cyber threat from Iran has become a formidable challenge for organizations globally.Once composed of amateur hacking groups, Iran’s cyber operations have matured and professionalized into a fluid, interconnected ecosystem leveraging third-party contractors, both custom and publicly available tools, and a range of techniques to achieve the Iranian government’s strategic objectives.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Recent operations by a newly-identified cluster dubbed UNK_SmudgedSerpent illustrate how Iranian threat actors have blended tactics, techniques, and procedures (TTPs) once associated with distinct groups, complicating attribution efforts for defenders.Our research beginning in June 2025 reported that UNK_SmudgedSerpent borrowed techniques largely associated with the playbooks of TA453 (Charming Kitten), TA455 (Smoke Sandstorm), and TA450 (MuddyWater). This sharing of methods could suggest increased collaboration and adaptability among Iran-aligned groups.This notable campaign targeted U.S.-based academics and foreign policy experts. In a tailored social engineering attempt, attackers impersonated a Brookings Institution director and initiated contact through carefully crafted emails with political and topical lure content. After an extended exchange likely intended to build trust with the targets, the group progressed from engaging in benign conversation to sending malicious emails.UNK_SmudgedSerpent sent a link to a supposed OnlyOffice document, mirroring TA455’s techniques, but it led to a credential harvesting site disguised as a health-themed domain. When that failed, the attackers shifted to delivering malware via an archive file that contained legitimate RMM software (PDQConnect), a tactic often associated with TA450.This fusion of social engineering, pseudo-legitimate content delivery, and abuse of legitimate tooling exemplifies the evolving complexity and resourcefulness of modern Iranian operations.

The attribution puzzle: What does it mean?

While tasking and remits remain relatively consistent across groups to support national objectives, the tangled TTPs of UNK_SmudgedSerpent forces us to reconsider how we view the operational structure of Iranian threat groups. The links between groups vary in confidence, but collectively indicate an interconnected ecosystem. Several hypotheses could explain the convergence:

Shared resources and development: It’s possible that a central entity develops or procures tools, malware, and infrastructure, which are then distributed among different operational teams. A common training academy teaching the same skills to multiple groups could also explain the overlap.

Personnel mobility: The cybersecurity world always changes. Operators may move between teams, bringing their preferred TTPs with them. A new group like UNK_SmudgedSerpent could represent a merger of operators from other established teams.

Contractor-driven operations: Iran tends to rely heavily on a network of contracting companies to carry out its cyber operations. A sponsoring agency like the IRGC or MOIS could task multiple contractor teams with similar objectives, leading to a natural crossover in methods and infrastructure as they pursue shared goals.

Regardless of the precise reason, CISOs need to take note: both technical and political attribution are significant and relevant. For potential target organizations, understanding attacker TTPs supports intelligence-led network defense in a SOC or pentesting function at a tactical level and informs incident response investigations if an intrusion occurs. By building attacker profiles based on attacker motivations and previous campaigns we can prevent – or at least mitigate – the damage from an intrusion.

What security pros should do now

The emergence of actors like UNK_SmudgedSerpent underscores that we need threat intelligence that’s dynamic and focused on behaviors as well as actors. It shows we need to build a defense-in-depth strategy that accounts for both technical characteristics and political attribution. Here are three ways to move forward:

Focus on the human factor. The UNK_SmudgedSerpent campaigns began with tailored and convincing social engineering. The point of initial access offers the first opportunity to detect anomalies and patterns in senders, headers, and behaviors. Advanced email security tools designed to process and analyze phishing activity are an integral part of an organization’s defense.

Build a broader understanding of TTPs and IoCs: With the increased blurred lines across actors and the use and abuse of legitimate services – such as cloud/file sharing platforms as well as commercial and open source tools – it isn’t enough to focus on tracking custom infrastructure and malware. Organizations must evaluate and curtail which processes and tools are permitted to run in an organization’s environment in conjunction with keeping pace with the actors and techniques that are prominent in the threat landscape.

Invest in threat intelligence: Security teams need access to research that maps the evolution of threat groups, their infrastructure, and their preferred methods. This can help to design an appropriate threat model for their organization that accounts for actor motivations, historically targeted sectors and geographies, and the attributes of a typical infection.

UNK_SmudgedSerpent has just burst on the scene, but the techniques it employs are an extension of a persistent and evolving espionage effort. For CISOs, it’s a clear signal that the adversaries are adapting. Our defenses must do the same.Saher Naumaan, senior threat researcher, Proofpoint SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts