CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Iranian APT Phishing Campaign Targets US Think Tanks

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Between June and August 2025, an Iranian advanced persistent threat (APT) group, tentatively named UNK_SmudgedSerpent, conducted targeted phishing attacks against prominent US think tanks and policy experts. The campaign impersonated influential figures in US foreign policy, including Suzanne Maloney and Patrick Clawson, to steal credentials and deploy remote monitoring and management (RMM) software. The group's tactics, techniques, and procedures (TTPs) overlapped with multiple known Iranian APTs, suggesting possible reorganization or collaboration within Iranian cyber operations. The phishing attempts involved impersonating key figures in US policy discussions on Iran, using tailored emails to lure targets into clicking malicious links. The group used a combination of techniques reminiscent of multiple Iranian APTs, including TA453 (Charming Kitten) and TA455 (Smoke Sandstorm), and deployed RMM software, a tactic previously associated with TA450 (MuddyWater). The campaign targeted over 20 subject matter experts at a U.S.-based think tank and used decoy documents and zip files containing RMM installers. The attackers also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute, and used spoofed login pages to harvest Microsoft account credentials. The group's activity was observed to have paused, but concerns persist due to the tactical overlap with known Iranian APTs. The group's tactics and infrastructure suggest possible personnel movement or shared infrastructure procurement between Iranian contracting outfits.

Timeline

  1. 05.11.2025 12:00 3 articles · 5d ago

    Iranian APT Phishing Campaign Targets US Think Tanks

    The campaign targeted over 20 subject matter experts at a U.S.-based think tank. The group used a combination of benign conversations and phishing tactics to lure targets. The attackers impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute. The phishing emails contained malicious URLs to trick victims into downloading an MSI installer. The attackers used a spoofed OnlyOffice login page to harvest Microsoft account credentials. The adversary removed the password requirement on the credential harvesting page after the target communicated suspicions. UNK_SmudgedSerpent engaged in possible hands-on-keyboard activity to install additional RMM tools like ISL Online through PDQ Connect. The campaign targeted a U.S.-based academic seeking assistance in investigating the IRGC. The campaign targeted an individual in early August 2025, soliciting collaboration on researching Iran's role in Latin America and U.S. policy implications. The group used benign conversation starters to build trust before attempting to steal credentials and deliver malware. The group used spoofed collaboration materials via an OnlyOffice-styled link that led to health-themed domains. The email campaign was observed to have started in June 2025. The group used a ZIP file containing an MSI installer to load RMM tools. The group's activity was observed to have paused, but concerns persist due to the tactical overlap with known Iranian APTs. The group's tactics and infrastructure suggest possible personnel movement or shared infrastructure procurement between Iranian contracting outfits.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky distributed a new backdoor named HttpTroy in a targeted spear-phishing attack against a South Korean entity. The attack involved a ZIP file disguised as a VPN invoice, which contained a multi-stage malware chain. HttpTroy enables file transfers, screenshot capture, command execution, and other malicious activities. The malware uses advanced obfuscation techniques to evade detection. The attack was detected by Gen Digital, which did not specify the exact timeline of the incident. The initial vector is suspected to be a phishing email, as no known vulnerabilities were exploited. The malware communicates with a command-and-control server over HTTP POST requests. The attack chain includes a dropper, a loader (MemLoad), and the final backdoor (HttpTroy). The ZIP file contained a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. HttpTroy supports a wide range of remote actions and increases stealth by encrypting its communications, obfuscating payloads, and executing code in memory. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection.

Open in new tab

MuddyWater Phishing Campaign Using Compromised Mailboxes

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack.

Open in new tab

Confucius Targets Pakistan with WooperStealer and Anondoor Malware

The threat actor Confucius has launched a new phishing campaign targeting Pakistan, deploying WooperStealer and Anondoor malware. The campaign has targeted government agencies, military organizations, defense contractors, and critical industries since at least December 2024. The attacks use spear-phishing and malicious documents to deliver malware that steals sensitive data and exfiltrates device information. Confucius has shifted from document-focused stealers to more advanced Python-based backdoors like Anondoor, which provides long-term persistence and command execution capabilities. The group employs DLL side-loading, obfuscated PowerShell scripts, scheduled tasks, and stealthy exfiltration routines to achieve persistence and evade detection. Anondoor is capable of full host profiling, collecting system details, geolocating public IPs, and inventoring disk volumes before receiving tasking from its command-and-control (C2) servers.

Open in new tab

TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks

TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.

Open in new tab

APT41 targets U.S. trade officials with phishing campaigns amid negotiations

APT41, a China-linked threat group, has been conducting targeted phishing campaigns against U.S. trade officials, law firms, think tanks, and academic organizations. The attacks, impersonating U.S. officials and organizations, aim to steal sensitive data related to U.S.-China trade negotiations. The campaigns have been ongoing since at least January 2025, with a surge in activity observed in July and August 2025. The U.S. House Select Committee on China has issued a formal advisory warning about these activities, linking them to a Beijing-led effort to influence policy deliberations. The FBI is investigating these attacks. The phishing emails impersonate U.S. officials, including Rep. John Robert Moolenaar, and organizations such as the U.S.-China Business Council, to trick recipients into opening malicious attachments or links. The attacks exploit software and cloud services to evade detection and exfiltrate data. The goal is to gain an advantage in trade and foreign policy negotiations. The Chinese embassy has denied the allegations, stating that China opposes cyber attacks and cyber crime. APT41 has been linked to various sophisticated campaigns targeting multiple sectors, including logistics, utility companies, healthcare, high-tech, and telecommunications.

Open in new tab