Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy Wonks

Between June and August 2025, researchers observed an Iran-aligned threat actor labeled UNK_SmudgedSerpent performing highly targeted phishing against US think-tank academics and policy experts to harvest Microsoft 365 credentials and deploy remote monitoring/management (RMM) software; the campaign's TTPs overlapped with multiple Iranian APTs (e.g., Charming Kitten/TA453, TA455, MuddyWater/TA450), creating attribution uncertainty and suggesting shared infrastructure, contractor support, or reorganized teams.