The Reveal Platform
Intel Name: Crossed wires: a case study of iranian espionage and attribution
Date of Scan: November 6, 2025
Impact: High
Summary: Between June and August 2025, we observed a newly identified threat actor, designated UNK_SmudgedSerpent, conducting targeted operations against academics and foreign policy experts. The group employed domestic political lures, referencing topics such as societal changes in Iran and investigations into the IRGC’s militarization. UNK_SmudgedSerpent initiated contact using benign conversation openers and leveraged health-related infrastructure, spoofed OnlyOffice file-hosting services, and Remote Monitoring and Management (RMM) tools to further its objectives. Throughout the investigation, the actor exhibited tactics, techniques, and procedures (TTPs) consistent with several known Iranian threat groups, including TA455 (C5 Agent, Smoke Sandstorm), TA453 (Charming Kitten, Mint Sandstorm), and TA450 (MuddyWater, Mango Sandstorm). While overlapping TTPs complicate definitive attribution, multiple hypotheses may explain potential links or operational overlap between UNK_SmudgedSerpent and these established Iranian entities.
