Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation unit42.paloaltonetworks.com/iranian-a…

Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. Visitors unknowingly triggered obfuscated JavaScript designed to capture detailed visitor information, such as: Browser languages. Screen resolutions, IP addresses and Browser fingerprints. Attackers likely collected these data points to enable selective targeting.

The website replaces a real model’s profile with a fake one, including a currently inactive link to a private album. This suggests preparation for targeted social engineering attacks, likely using the fake profile as a lure. We have not yet observed direct victim interaction, though it is possible victims would arrive at the fake website through spear phishing.

The operation’s complexity, methods and targeting lead us to believe with high confidence that these are the actions of an Iranian threat group. With lower confidence, we suspect a group overlapping with Agent Serpens, also known as APT35 or Charming Kitten, is behind this campaign. This group is known for conducting espionage campaigns against Iranian dissidents, journalists and activists, particularly those living abroad.