UNK_SmudgedSerpent overlaps with TA453 TA455 and TA450 campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
UNK_SmudgedSerpent is a previously unknown campaign that targeted academics and foreign policy experts focused on Iran and related policy issues between June and August 2025. The activity used benign email conversations, domestic political lures, and spoofed collaboration materials to drive victims toward credential harvesting and follow-on payload delivery. In some cases, the chain used an OnlyOffice-styled path, a ZIP archive with an MSI installer, and legitimate RMM software such as PDQ Connect and ISL Online. Proofpoint said the cluster overlaps with TA453, TA455, and TA450, but attribution remains unconfirmed.
Related Happenings
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
Campaign
First: 09.03.2026 23:24
Last: 09.03.2026 23:24
Sources 1
About this happening:
An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
CampaignAbout this happening: An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
RedKitten campaign targeting Iranian dissidents with forged shock lures
Campaign
First: 30.01.2026 13:55
Last: 30.01.2026 13:55
Sources 1
About this happening:
The **RedKitten** campaign is spreading **SloppyMIO** malware in **Iran**, putting **NGOs** and people documenting protest-related human rights abuses at risk of surveillance and...
RedKitten campaign targeting Iranian dissidents with forged shock lures
CampaignAbout this happening: The **RedKitten** campaign is spreading **SloppyMIO** malware in **Iran**, putting **NGOs** and people documenting protest-related human rights abuses at risk of surveillance and...
Tomiris 2025 government-targeting campaign
Campaign
First: 01.12.2025 07:07
Last: 01.12.2025 07:07
Sources 1
About this happening:
The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
Tomiris 2025 government-targeting campaign
CampaignAbout this happening: The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...
APT42 SpearSpecter espionage campaign
Campaign
First: 14.11.2025 16:40
Last: 14.11.2025 16:40
Sources 1
About this happening:
The **APT42** **SpearSpecter** campaign is **ongoing**, and it is targeting **senior defense and government officials** with personalized social engineering that also reaches **fa...
APT42 SpearSpecter espionage campaign
CampaignAbout this happening: The **APT42** **SpearSpecter** campaign is **ongoing**, and it is targeting **senior defense and government officials** with personalized social engineering that also reaches **fa...
Timeline
-
05.11.2025 18:00 3 articles · 6mo ago
Proofpoint discloses UNK_SmudgedSerpent campaign
Initial DisclosureProofpoint identifies UNK_SmudgedSerpent as a previously unknown actor targeting academics and foreign policy experts focused on Iran and global political developments, with activity running between June and August 2025. The campaign used benign email exchanges, spoofed collaboration materials, an OnlyOffice-styled link, credential collection on health-themed domains, and a ZIP file with an MSI payload that loaded PDQConnect and later ISL Online. Proofpoint also says the cluster overlaps with TA453, TA455 and TA450, but there is no confirmed attribution.
Show sources
- UNK_SmudgedSerpent Targets Academics With Political Lures — www.infosecurity-magazine.com — 05.11.2025 18:00
- UNK_SmudgedSerpent Targets Academics With Political Lures — www.infosecurity-magazine.com — 05.11.2025 18:00
- Mysterious 'SmudgedSerpent' Hackers Target U.S. Policy Experts Amid Iran–Israel Tensions — thehackernews.com — 05.11.2025 13:20