Iranian Hackers Impersonate as Model Agency to Attack Victims
In a sophisticated cyber espionage campaign, Iranian threat actors have deployed a fraudulent website impersonating a legitimate German modeling agency to gather intelligence and potentially target specific individuals. The operation, discovered in early May 2025, features advanced visitor profiling techniques designed to selectively identify and compromise targets of interest, particularly those connected to Iranian dissident […] The post Iranian Hackers Impersonate as Model Agency to Attack Victims appeared first on Cyber Security News.
In a sophisticated cyber espionage campaign, Iranian threat actors have deployed a fraudulent website impersonating a legitimate German modeling agency to gather intelligence and potentially target specific individuals.
The operation, discovered in early May 2025, features advanced visitor profiling techniques designed to selectively identify and compromise targets of interest, particularly those connected to Iranian dissident communities.
The threat actors meticulously cloned the Hamburg-based Mega Model Agency’s website, replicating its branding, layout, and content to create a convincing facade.
However, this fraudulent mirror harbors obfuscated JavaScript code that activates upon visitor access, collecting detailed information about potential targets including browser configurations, screen resolutions, IP addresses, and unique browser fingerprints.
Palo Alto Networks researchers identified that this operation likely stems from an Iranian state-sponsored threat group with connections to Agent Serpens, also known as APT35 or Charming Kitten.
This group has a documented history of targeting Iranian dissidents, journalists, and activists living abroad, particularly in Germany.
Fake Mega Model Agency Site
The campaign demonstrates a concerning evolution in social engineering tactics, with the threat actors creating an entirely fictitious model profile named “Shir Benzion” within the fake website.
.webp)
This profile replaces a legitimate model’s information and includes a currently inactive link to a “private album,” suggesting preparations for targeted phishing or malware delivery.
The technical sophistication of this operation lies in the carefully obfuscated JavaScript deployed on the fake website.
Upon analysis, researchers determined that the script performs multiple data collection functions simultaneously. It enumerates browser languages and plugins while retrieving screen resolution data to establish the visitor’s computing environment.
More invasively, the code leverages WebRTC functionality to reveal both local and public IP addresses, creating a comprehensive visitor profile.
The script then implements canvas fingerprinting techniques, generating SHA-256 hashes to uniquely identify devices.
// Simplified representation of the obfuscated fingerprinting technique
function createCanvasFingerprint() {
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
// Draw various elements to create unique canvas data
ctx.textBaseline = "top";
ctx.font = "14px 'Arial'";
ctx.fillText("Fingerprint", 2, 2);
return sha256(canvas.toDataURL());
}The collected data is structured as JSON and transmitted to an endpoint disguised as advertising analytics (/ads/track), demonstrating the attackers’ effort to conceal their surveillance activity within seemingly legitimate web traffic.
This approach reflects a calculated strategy to evade detection while gathering actionable intelligence for subsequent targeted attacks.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post Iranian Hackers Impersonate as Model Agency to Attack Victims appeared first on Cyber Security News.
