SmudgedSerpent Hackers Target U.S. Policy Experts Amid Rising Iran–Israel Tensions

A mysterious new hacking group known as SmudgedSerpent has been found targeting U.S. policy experts and academics who focus on Iran-related issues. The campaign took place between June and August 2025, a period marked by increasing tension between Iran and Israel. Cybersecurity researchers believe this was a deliberate espionage attempt linked to the ongoing regional conflict.

According to experts from Proofpoint, the hackers used fake emails and impersonated well-known think-tank members to make their attacks look genuine. The emails appeared to come from organizations such as the Brookings Institution or the Washington Institute for Near East Policy. These fake messages were carefully crafted to trick victims into clicking on links or downloading files that seemed safe.

In one case, the attackers pretended to verify a previous email, asking the target if a certain message was real. Once the victim responded, they sent a new link that looked like an invitation to a meeting or a document share. When clicked, it led to a fake Microsoft login page that stole the user’s credentials. This realistic design made it very difficult for users to identify the scam.

In some versions of the attack, the hackers used a malicious installer disguised as Microsoft Teams. When downloaded, it secretly installed remote-access software, giving the attackers control over the victim’s computer. These programs allowed them to monitor activity and collect sensitive information without the user knowing.

Security analysts reported that more than 20 individuals were targeted in this campaign, mostly U.S.-based researchers and policy experts working on Iranian affairs. The timing of the operation aligns with growing cyber activities surrounding the Iran–Israel conflict, suggesting that this attack may have been politically motivated and designed for intelligence gathering.

While researchers have not officially attributed SmudgedSerpent to any country, several indicators suggest possible links to Iran-aligned threat actors. The phishing methods, message tone, and choice of targets closely resemble tactics used in past Iranian cyber-espionage campaigns. However, the investigation is still ongoing and analysts continue to monitor the group’s activities.

Cybersecurity teams have since released detection rules and warnings to help organizations identify similar phishing attempts. They advise users to be cautious of unfamiliar meeting invites or document links, even if they seem to come from trusted contacts. Multi-factor authentication (MFA) and regular verification of email sources are recommended as key defense measures.

In summary, the SmudgedSerpent campaign shows how sophisticated phishing and social engineering tactics can be used for global espionage. By exploiting trust and professional communication channels, the hackers were able to reach high-level experts and policy researchers. This incident is a reminder that in today’s digital world, even the most credible-looking message can hide a serious cyber threat.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news