Crossed Wires: A Case Study of Iranian Espionage and Attribution

    Thursday, November 6, 2025 In: Threat Research Print

    Date: 11/06/2025

    Severity: High

    Summary

    Between June and August 2025, we observed a newly identified threat actor, designated UNK_SmudgedSerpent, conducting targeted operations against academics and foreign policy experts. The group employed domestic political lures, referencing topics such as societal changes in Iran and investigations into the IRGC’s militarization. UNK_SmudgedSerpent initiated contact using benign conversation openers and leveraged health-related infrastructure, spoofed OnlyOffice file-hosting services, and Remote Monitoring and Management (RMM) tools to further its objectives. Throughout the investigation, the actor exhibited tactics, techniques, and procedures (TTPs) consistent with several known Iranian threat groups, including TA455 (C5 Agent, Smoke Sandstorm), TA453 (Charming Kitten, Mint Sandstorm), and TA450 (MuddyWater, Mango Sandstorm). While overlapping TTPs complicate definitive attribution, multiple hypotheses may explain potential links or operational overlap between UNK_SmudgedSerpent and these established Iranian entities.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    https://suzzanemaloney2506090953.onlyoffice.com/s.-k6vjflsdagdsfgh

    thebesthomehealth.com

    mosaichealthsolutions.com

    healthcrescent.com

    ebixcareers.com

    emiratesgroup-careers.com

    flydubai-careers.com

    airbusgroup-careers.com

    gocareers.org

    rheinmetallcareers.com

    careers2find.com

    opportunities2get.com

    emiratescareers.org

    droneflywell.com

    usa-careers.com

    careers-hub.org

    global-careers.com

    ehealthpsuluth.com

    worldcareers.org

    uavnodes.com

    careersworld.org

    thecareershub.org

    germanywork.org

    easymarketing101.com

    collaboromarketing.com

    virgomarketingsolutions.com

    marketinglw.com

    anteromarketing.com

    airbusaerodefence.nl

    dronetechasia.org

    asiandefenses.com

    msnclouds.com

    kibanacore.com

    boeingspace.com

    airbusaerodefence.com

    jadehealthcenter.com

    clearmindhealthandwellness.com

    accountroyal.com

    msnapp.help

    msnapp.live

    zytonhealth.com

    alwayslivehealthy.com

    healthiestmama.com

    healthcarefluent.com

    healthinfusiontherapy.com 

    mojavemassageandwellness.com 

    chakracleansetherapy.com 

    bodywellnessbycynthia.com 

    palaerospace.careers 

    rhealthylivingsolutions.com 

    sulumorbusinessservices.com 

    airbushiring.com 

    joinboeing.com 

    rheinmetallcareer.org 

    rheinmetallcareer.onlyoffice.com 

    rheinmetallcareer.com 

    careers-portal.org 

    boeinginformation.onlyoffice.com 

    airbus-careers.onlyoffice.com 

    airbus-survay.onlyoffice.com 

    malebachhew2506090936.onlyoffice.com 

    randcorp.onlyoffice.com

    Email Address : 

    suzzanemaloney@gmail.com 

    suzannemaloney68@gmail.com

    patrickclawson51@gmail.com

    patrick.clawson51@outlook.com 

    Hash : 

    6eb7df21d6f1e3546c252a112504eefbb19205167db89038f2861118bbc8871c

    0bdb64fc1d5533f7b3fffaf821e89f286ad2d7400a914f21abdcbb7bb8a39e63

    cac018dccdf6ce4bef19ab71e3e737724aed104bc824332a5213c878b065ff50

    7b5fb8202bff90398ab007579713f66430778249e43b46f35df6c3ded628f129

    129a40e38ef075c7d33d8517b268eb023093c765a32e406b58f39fab6cc6a040

    85858880ee7659cc1152b6a126bc20b9b4fb1b46dddea5af2d65d48d58cd058

    0fcdaa2f4db94e0589617830d3d80430627815ef0e4b0c7b7ff5c1ebb82a4136

    1e9c31ce0eba2100d416f5bc3b97dafe2da0d3d9aee96de59ec774365fe3fe89

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    domainname like "gocareers.org" or url like "gocareers.org" or siteurl like "gocareers.org" or domainname like "careersworld.org" or url like "careersworld.org" or siteurl like "careersworld.org" or domainname like "healthiestmama.com" or url like "healthiestmama.com" or siteurl like "healthiestmama.com" or domainname like "careers2find.com" or url like "careers2find.com" or siteurl like "careers2find.com" or domainname like "careers-hub.org" or url like "careers-hub.org" or siteurl like "careers-hub.org" or domainname like "accountroyal.com" or url like "accountroyal.com" or siteurl like "accountroyal.com" or domainname like "rheinmetallcareer.org" or url like "rheinmetallcareer.org" or siteurl like "rheinmetallcareer.org" or domainname like "clearmindhealthandwellness.com" or url like "clearmindhealthandwellness.com" or siteurl like "clearmindhealthandwellness.com" or domainname like "ebixcareers.com" or url like "ebixcareers.com" or siteurl like "ebixcareers.com" or domainname like "thebesthomehealth.com" or url like "thebesthomehealth.com" or siteurl like "thebesthomehealth.com" or domainname like "healthcarefluent.com" or url like "healthcarefluent.com" or siteurl like "healthcarefluent.com" or domainname like "marketinglw.com" or url like "marketinglw.com" or siteurl like "marketinglw.com" or domainname like "mosaichealthsolutions.com" or url like "mosaichealthsolutions.com" or siteurl like "mosaichealthsolutions.com" or domainname like "careers-portal.org" or url like "careers-portal.org" or siteurl like "careers-portal.org" or domainname like "global-careers.com" or url like "global-careers.com" or siteurl like "global-careers.com" or domainname like "healthinfusiontherapy.com" or url like "healthinfusiontherapy.com" or siteurl like "healthinfusiontherapy.com" or domainname like "healthcrescent.com" or url like "healthcrescent.com" or siteurl like "healthcrescent.com" or domainname like "rheinmetallcareer.com" or url like "rheinmetallcareer.com" or siteurl like "rheinmetallcareer.com" or domainname like "msnapp.help" or url like "msnapp.help" or siteurl like "msnapp.help" or domainname like "germanywork.org" or url like "germanywork.org" or siteurl like "germanywork.org" or domainname like "msnapp.live" or url like "msnapp.live" or siteurl like "msnapp.live" or domainname like "rhealthylivingsolutions.com" or url like "rhealthylivingsolutions.com" or siteurl like "rhealthylivingsolutions.com" or domainname like "sulumorbusinessservices.com" or url like "sulumorbusinessservices.com" or siteurl like "sulumorbusinessservices.com" or domainname like "bodywellnessbycynthia.com" or url like "bodywellnessbycynthia.com" or siteurl like "bodywellnessbycynthia.com" or domainname like "virgomarketingsolutions.com" or url like "virgomarketingsolutions.com" or siteurl like "virgomarketingsolutions.com" or domainname like "usa-careers.com" or url like "usa-careers.com" or siteurl like "usa-careers.com" or domainname like "mojavemassageandwellness.com" or url like "mojavemassageandwellness.com" or siteurl like "mojavemassageandwellness.com"

    Detection Query 2 :

    domainname like "emiratesgroup-careers.com" or url like "emiratesgroup-careers.com" or siteurl like "emiratesgroup-careers.com" or domainname like "flydubai-careers.com" or url like "flydubai-careers.com" or siteurl like "flydubai-careers.com" or domainname like "airbusgroup-careers.com" or url like "airbusgroup-careers.com" or siteurl like "airbusgroup-careers.com" or domainname like "rheinmetallcareers.com" or url like "rheinmetallcareers.com" or siteurl like "rheinmetallcareers.com" or domainname like "opportunities2get.com" or url like "opportunities2get.com" or siteurl like "opportunities2get.com" or domainname like "emiratescareers.org" or url like "emiratescareers.org" or siteurl like "emiratescareers.org" or domainname like "droneflywell.com" or url like "droneflywell.com" or siteurl like "droneflywell.com" or domainname like "ehealthpsuluth.com" or url like "ehealthpsuluth.com" or siteurl like  "ehealthpsuluth.com" or domainname like "worldcareers.org" or url like "worldcareers.org" or siteurl like "worldcareers.org" or domainname like "uavnodes.com" or url like "uavnodes.com" or siteurl like "uavnodes.com" or domainname like "thecareershub.org" or url like "thecareershub.org" or siteurl like "thecareershub.org"  or domainname like "easymarketing101.com" or url like "easymarketing101.com" or siteurl like "easymarketing101.com" or domainname like "collaboromarketing.com" or url like "collaboromarketing.com" or siteurl like "collaboromarketing.com" or domainname like "anteromarketing.com" or url like "anteromarketing.com" or siteurl like "anteromarketing.com" or domainname like "airbusaerodefence.nl" or url like "airbusaerodefence.nl" or siteurl like "airbusaerodefence.nl" or domainname like "msnclouds.com" or url like "msnclouds.com" or siteurl like "msnclouds.com" or domainname like "kibanacore.com" or url like "kibanacore.com" or siteurl like "kibanacore.com" or domainname like "boeingspace.com" or url like "boeingspace.com" or siteurl like "boeingspace.com" or domainname like "airbusaerodefence.com" or url like "airbusaerodefence.com" or siteurl like "airbusaerodefence.com" or domainname like "jadehealthcenter.com" or url like "jadehealthcenter.com" or siteurl like "jadehealthcenter.com" or domainname like "zytonhealth.com" or url like "zytonhealth.com" or siteurl like "zytonhealth.com" or domainname like "alwayslivehealthy.com" or url like "alwayslivehealthy.com" or siteurl like "alwayslivehealthy.com" or domainname like "chakracleansetherapy.com" or url like "chakracleansetherapy.com" or siteurl like "chakracleansetherapy.com" or domainname like "palaerospace.careers" or url like "palaerospace.careers" or siteurl like "palaerospace.careers" or domainname like "airbushiring.com" or url like "airbushiring.com" or siteurl like "airbushiring.com" or domainname like "joinboeing.com" or url like "joinboeing.com" or siteurl like "joinboeing.com" or domainname like "rheinmetallcareer.onlyoffice.com" or url like "rheinmetallcareer.onlyoffice.com" or siteurl like "rheinmetallcareer.onlyoffice.com" or domainname like "boeinginformation.onlyoffice.com" or url like "boeinginformation.onlyoffice.com" or siteurl like "boeinginformation.onlyoffice.com" or domainname like "airbus-careers.onlyoffice.com" or url like "airbus-careers.onlyoffice.com" or siteurl like "airbus-careers.onlyoffice.com" or domainname like "airbus-survay.onlyoffice.com" or url like "airbus-survay.onlyoffice.com" or siteurl like "airbus-survay.onlyoffice.com" or domainname like "malebachhew2506090936.onlyoffice.com" or url like "malebachhew2506090936.onlyoffice.com" or siteurl like "malebachhew2506090936.onlyoffice.com" or domainname like "randcorp.onlyoffice.com" or url like "randcorp.onlyoffice.com" or siteurl like "randcorp.onlyoffice.com" or domainname like "https://suzzanemaloney2506090953.onlyoffice.com/s.-k6vjflsdagdsfgh" or url like "https://suzzanemaloney2506090953.onlyoffice.com/s.-k6vjflsdagdsfgh" or siteurl like "https://suzzanemaloney2506090953.onlyoffice.com/s.-k6vjflsdagdsfgh" or domainname like "dronetechasia.org" or url like "dronetechasia.org" or siteurl like "dronetechasia.org" or domainname like "asiandefenses.com" or url like "asiandefenses.com" or siteurl like "asiandefenses.com" 

    Detection Query  3:

    sender IN ("suzzanemaloney@gmail.com","suzannemaloney68@gmail.com","patrickclawson51@gmail.com","patrick.clawson51@outlook.com") or recipients IN  ("suzzanemaloney@gmail.com","suzannemaloney68@gmail.com","patrickclawson51@gmail.com","patrick.clawson51@outlook.com")

    Detection Query  4:

    sha256hash IN ("7b5fb8202bff90398ab007579713f66430778249e43b46f35df6c3ded628f129","129a40e38ef075c7d33d8517b268eb023093c765a32e406b58f39fab6cc6a040","6eb7df21d6f1e3546c252a112504eefbb19205167db89038f2861118bbc8871c","0bdb64fc1d5533f7b3fffaf821e89f286ad2d7400a914f21abdcbb7bb8a39e63","cac018dccdf6ce4bef19ab71e3e737724aed104bc824332a5213c878b065ff50","85858880ee7659cc1152b6a126bc20b9b4fb1b46dddea5af2d65d48d58cd058","0fcdaa2f4db94e0589617830d3d80430627815ef0e4b0c7b7ff5c1ebb82a4136","1e9c31ce0eba2100d416f5bc3b97dafe2da0d3d9aee96de59ec774365fe3fe89")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/crossed-wires-case-study-iranian-espionage-and-attribution


    Tags

    Threat ActorIranUNK_SmudgedSerpentEducationDefense Industrial BaseIRGCHealthcare and Public HealthRemote monitoring and management (RMM)TA455C5 AgentSmoke SandstormTA453Charming KittenMint SandstormTA450MuddyWaterMango Sandstorm

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.