Crossed wires: a case study of Iranian espionage and attribution
Essential information
- Published
- 05/11/2025 19:04
- Modified
- 05/11/2025 22:10
- Tags
- 2025-11-05 attribution challenges credential harvesting espionage iranian threat actor isl online minibike minijunk overlapping ttps pdqconnect phishing policy experts targeting rmm tools
- Related entities
- 55 observables, 1 intrusion sets (apt), 16 techniques (mitre), 5 others
Description
This analysis examines a newly identified threat actor dubbed UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. The actor used domestic political lures related to Iran, benign conversation starters, health-themed infrastructure, and Remote Management & Monitoring tools. The investigation revealed overlapping tactics with several Iranian threat groups, including TA455, TA453, and TA450. While attribution remains uncertain, the targeting and techniques align with Iranian intelligence priorities. The analysis explores possible explanations for the convergence of tactics, such as shared resources, personnel mobility, or collaboration between Iranian agencies.