"The email messages bear all hallmarks of a classic Charming Kitten attack, with the threat actors reeling in prospective targets by engaging with them in benign conversations before attempting to phish for their credentials. In some cases, the emails have been found to contain malicious URLs to trick victims into downloading an MSI installer that, while masquerading as Microsoft Teams, ultimately deploys legitimate Remote Monitoring and Management (RMM) software like PDQ Connect, a tactic often embraced by MuddyWater."
"Proofpoint said the digital missives have also impersonated prominent U.S. foreign policy figures associated with think tanks like Brookings Institution and Washington Institute to lend them a veneer of legitimacy and increase the likelihood of success of the attack. Targets of these efforts are over 20 subject matter experts of a U.S.-based think tank who focus on Iran-related policy matters."
UNK_SmudgedSerpent carried out cyberattacks between June and August 2025 targeting academics and foreign policy experts amid heightened tensions between Iran and Israel. The cluster used domestic political lures, including societal change in Iran and probes into IRGC militarization, and exhibited tactics similar to TA455, TA453, and TA450. Attackers engaged targets in benign conversation to phish credentials and sometimes delivered MSI installers disguised as Microsoft Teams that installed legitimate RMM tools like PDQ Connect. The campaign impersonated prominent U.S. foreign policy figures to enhance credibility. Over 20 Iran-focused experts at a U.S. think tank were targeted, with at least one interaction including identity verification demands.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]