Proofpoint, a U.S. cybersecurity firm, reported that an anonymous group of hackers tied to Iran’s regime used sophisticated deception and social-engineering techniques to target academics and foreign-policy experts in the United States.
According to the firm’s researchers, the attack campaign — active between June and August 2025 — represents an evolution in Iranian state cyber espionage, where attackers combined traditional phishing techniques with legitimate remote-management tools to infiltrate sensitive targets.
Proofpoint says the group used Iran-related political topics — including social changes and research into the militarization of the Islamic Revolutionary Guard Corps (IRGC) — as lures to deceive victims.
The hackers sent seemingly innocuous e-mails containing fake health-related links, bogus OnlyOffice hosts (a document collaboration platform), and remote-management tools.
Analysts say the tactics and tooling closely resemble those used by several known Iran-linked groups, but because of a lack of definitive evidence, Proofpoint has classified this actor independently.
Investigators found the attack chain began with a simple conversation and an e-mail about Iran’s economic and political situation, followed by efforts to steal account credentials. Then links containing archive files and malicious code were sent to victims that installed remote-management software on the target machines.
In the group’s first campaign in June 2025, the hackers impersonated a Brookings Institution staffer and contacted more than 20 U.S. researchers. The technique was technically similar to previous attacks by one of the known groups. The e-mails used the fake name “Susan Maloney,” presented as a director of the foreign-policy program at the Brookings Institution (a U.S. think tank).
Victims then received a link that appeared to point to OnlyOffice but redirected to a fake Microsoft login page hosted on a health-themed domain. After one target became suspicious of the phishing page, the attackers modified the login page and used the new version to continue the attack.
Later, zipped files contained programs that launched “PDQ Connect” (a remote-control application). In some cases, another tool called “ISL Online” was also installed, which provided attackers with direct access to the victim’s system.
Proofpoint said the high similarity in methods and infrastructure makes firm attribution to a specific known organization difficult. Nevertheless, the review shows the new actor’s tactics and targets align with the established patterns of Iran-linked groups.
Researchers say the continuous targeting of Iran-related foreign-policy experts remains a priority for Iran’s regime intelligence efforts.
