{ "id": "83ce698d-a65a-4648-be69-b47c2e56c443", "created_at": "2026-04-06T00:15:29.630523Z", "updated_at": "2026-04-10T13:12:50.805508Z", "deleted_at": null, "sha1_hash": "a157319000df48d7518360cce4bde5cf731164d1", "title": "Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 740024, "plain_text": "Iranian Cyber Actors Impersonate Model Agency in Suspected\r\nEspionage Operation\r\nBy Unit 42\r\nPublished: 2025-05-07 · Archived: 2026-04-05 18:39:42 UTC\r\nExecutive Summary\r\nUnit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This\r\ninfrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content.\r\nVisitors unknowingly triggered obfuscated JavaScript designed to capture detailed visitor information, such as:\r\nBrowser languages\r\nScreen resolutions\r\nIP addresses\r\nBrowser fingerprints\r\nAttackers likely collected these data points to enable selective targeting.\r\nThe website replaces a real model's profile with a fake one, including a currently inactive link to a private album.\r\nThis suggests preparation for targeted social engineering attacks, likely using the fake profile as a lure. We have\r\nnot yet observed direct victim interaction, though it is possible victims would arrive at the fake website through\r\nspear phishing.\r\nThe operation's complexity, methods and targeting lead us to believe with high confidence that these are the\r\nactions of an Iranian threat group. With lower confidence, we suspect a group overlapping with Agent Serpens,\r\nalso known as APT35 or Charming Kitten, is behind this campaign. This group is known for conducting espionage\r\ncampaigns against Iranian dissidents, journalists and activists, particularly those living abroad.\r\nIn this article, we will cover details of the fake website’s functionality, including the obfuscated data collection\r\nroutines and the fictitious profile likely used for social engineering.\r\nIndividuals and organizations, particularly those involved with Iranian activist communities, should remain\r\nvigilant for similar operations and treat unsolicited contacts cautiously before engaging.\r\nPalo Alto Networks customers are better protected through the following products and services:\r\nAdvanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with\r\nthis activity as malicious.\r\nAdvanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real\r\ntime.\r\nhttps://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/\r\nPage 1 of 5\n\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nTechnical Analysis of the Fake Mega Model Agency Site\r\nWhile monitoring infrastructure we assess is likely tied to Iranian cyber actors, we discovered the domain\r\nmegamodelstudio[.]com. This domain was registered on Feb. 18, 2025, and has resolved to 64.72.205[.]32 since\r\nMarch 1, 2025. This domain hosts a website impersonating the Hamburg-based Mega Model Agency, as\r\nillustrated in Figure 1.\r\nFigure 1. Fake Mega Model Agency website.\r\nThis actor-created website closely replicates the actual website's branding, layout and content. However, the clone\r\nincludes an obfuscated script designed to harvest detailed visitor information and potentially lure specific targets\r\nto a fictitious model’s profile.\r\nThis fake website exhibits the hallmarks of social engineering attacks performed by known Iranian advanced\r\npersistent threat groups (APTs). Most notably, it appears to link to Agent Serpens, a threat actor that the security\r\ncommunity has widely reported to perform espionage campaigns against individuals and organizations critical of\r\nthe Iranian regime, including in Germany [PDF].\r\nUpon visiting any page of the fake website, obfuscated JavaScript code runs in the victim’s browser. The likely\r\ngoal of the code is to enable selective targeting by determining sufficient device- and network-specific details\r\nabout visitors.\r\nThe script performs the following tasks:\r\nEnumerating browser languages and plugins, retrieve screen resolution and collect timestamps to track a\r\nvisitor’s locale and environment\r\nRevealing the user’s local and public IP address using WebRTC-based IP address leaking\r\nLeveraging canvas fingerprinting, using SHA-256 to produce a device-unique hash\r\nCanvas fingerprinting is a technique that uses the HTML5 canvas element to identify unique\r\ncharacteristics about a user’s device and generate a corresponding fingerprint\r\nStructuring the collected data (e.g., language, screen size, canvas hash) as JSON and delivering it to the\r\nendpoint /ads/track via a POST request\r\nhttps://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/\r\nPage 2 of 5\n\nThis naming convention suggests an attempt to disguise the collection as benign advertising traffic\r\nrather than storing and processing potential target fingerprints\r\nIn addition to its data collection routines, the fake website contains functionality designed to dynamically alter on-page references to a specific model and replace them with details and images of a model named “Shir Benzion.”\r\nWe assess that this replacement profile is likely fictitious and part of a social engineering tactic.\r\nAttackers also inject a link to a private album into the profile for this fictitious model, though it appears to be non-functional at the time of writing. We assess that this is likely a placeholder intended for targeted social engineering\r\nattacks, potentially serving as a mechanism for harvesting credentials or delivering malware payloads. We\r\nillustrate these observations in Figures 2 and 3.\r\nFigure 2. Top: Legitimate Mega Model Agency women’s page. Bottom: Fake page with profile of a\r\nreal model replaced by the fictitious “Shir Benzion” profile.\r\nhttps://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/\r\nPage 3 of 5\n\nFigure 3. Fictitious “Shir Benzion” profile with private album lure.\r\nThe fake website’s current functionality, combined with the potential for further malicious development, indicates\r\nthat this campaign is both an ongoing and evolving threat.\r\nConclusion\r\nThis operation, involving detailed visitor profiling and sophisticated impersonation tactics, demonstrates a\r\ncontinued escalation in suspected Iranian cyberespionage activity. Such activities present significant risks to\r\nvarious organizations and individuals, such as those advocating for or supporting Iranian dissidents.\r\nIndividuals and organizations should treat unsolicited contacts offering seemingly appealing opportunities\r\ncautiously. People should independently verify the legitimacy of contacts, websites and offers before engaging or\r\nsharing sensitive information.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through the following\r\nproducts and services:\r\nAdvanced URL Filtering and Advanced DNS Security subscriptions for the Next-Generation Firewall\r\nidentify known domains and URLs associated with this activity as malicious.\r\nAdvanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real\r\ntime.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nhttps://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/\r\nPage 4 of 5\n\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nDomain: megamodelstudio[.]com\r\nDescription: The domain pointing to the website impersonating Mega Model Agency\r\nIP address: 64.72.205[.]32\r\nDescription: The IP address of the server hosting the fake Mega Model Agency website\r\nURL: hxxps://www.megamodelstudio[.]com/model\r\nDescription: The URL for the main page of the fake Mega Model Agency website\r\nURL: hxxps://www.megamodelstudio[.]com/women\r\nDescription: The URL for the women’s page of the fake Mega Model Agency website\r\nURL: hxxps://www.megamodelstudio[.]com/women/Shir-Benzion\r\nDescription: The URL for the fictitious “Shir Benzion” profile\r\nSource: https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/\r\nhttps://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/" ], "report_names": [ "iranian-attackers-impersonate-model-agency" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434529, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a157319000df48d7518360cce4bde5cf731164d1.pdf", "text": "https://archive.orkl.eu/a157319000df48d7518360cce4bde5cf731164d1.txt", "img": "https://archive.orkl.eu/a157319000df48d7518360cce4bde5cf731164d1.jpg" } }