Unit 42 uncovered an Iranian-operated fake German model agency website that collects detailed visitor data for targeted espionage and social engineering. The site impersonates the real agency and uses obfuscated JavaScript and a fabricated profile to lure victims. (Affected: activists, journalists, Iranian dissidents, cybersecurity sector)
Keypoints :
- An Iranian cyberespionage group created a fraudulent website impersonating a German model agency.
- The fake site uses obfuscated JavaScript to collect browser languages, screen resolutions, IP addresses, and canvas fingerprints.
- Collected data helps attackers selectively target potential victims through detailed profiling.
- A real model’s profile is replaced by a fictitious one named “Shir Benzion” as part of a social engineering tactic.
- The fake profile contains a currently inactive link to a private album, likely a setup for further attacks.
- The website is linked to the Iranian APT threat group Agent Serpens (APT35/Charming Kitten), known for espionage against dissidents abroad.
- Visitors to the site may be directed via spear phishing campaigns, posing risks especially to Iranian activists, journalists, and their supporters.
- The malicious scripts send collected data disguised as advertising traffic to the attacker’s backend.
- The domain megamodelstudio[.]com and its hosting IP 64.72.205[.]32 are identified as key infrastructure.
- Organizations and individuals should exercise caution with unsolicited contacts and verify legitimacy before engagement.
MITRE Techniques :
- Phishing (T1566) – Victims likely directed to fake website through spear phishing to initiate social engineering attack.
- User Execution (T1204) – Obfuscated JavaScript runs in victim’s browser to collect information.
- Collection of Victim Network Information (T1590.002) – Script collects local and public IP addresses via WebRTC leaks.
- Fingerprinting (T1592) – Canvas fingerprinting used to generate unique device hashes for identification.
- Data Staged (T1074) – Information structured as JSON and sent to attacker-controlled endpoint (/ads/track).
- Masquerading (T1036) – Fake website closely mimics legitimate agency branding and layout to deceive visitors.
- Impersonation (T1038) – Fictitious profile “Shir Benzion” substitutes for real model profiles to lure targets.
- Command and Control (T1071) – Data exfiltration disguised as advertising traffic using POST requests.
- Social Engineering (T1598) – Profile and private album link act as lures for credential theft or malware delivery.
Indicator of Compromise :
- The article identifies domain megamodelstudio[.]com hosting the fake agency website as a key IOC.
- IP address 64.72.205[.]32 is linked to the fraudulent infrastructure.
- URLs such as hxxps://www.megamodelstudio[.]com/women/Shir-Benzion are indicators associated with the fictitious profile used for social engineering.
- The presence of obfuscated JavaScript collecting browser fingerprints and IP addresses can be monitored as behavioral IOCs.
Read more: https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/
Views: 50