Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation Threat Research Center Threat Research Malware Malware Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation 5 min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Cloud-Delivered Security Services Next-Generation Firewall Unit 42 Incident Response By: Unit 42 Published: May 7, 2025 Categories: Malware Threat Research Tags: Agent Serpens Germany Iran Phishing Social engineering Share Executive Summary Unit 42 recently identified suspected covert Iranian infrastructure impersonating a German model agency. This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content. Visitors unknowingly triggered obfuscated JavaScript designed to capture detailed visitor information, such as: Browser languages Screen resolutions IP addresses Browser fingerprints Attackers likely collected these data points to enable selective targeting. The website replaces a real model's profile with a fake one, including a currently inactive link to a private album. This suggests preparation for targeted social engineering attacks, likely using the fake profile as a lure. We have not yet observed direct victim interaction, though it is possible victims would arrive at the fake website through spear phishing. The operation's complexity, methods and targeting lead us to believe with high confidence that these are the actions of an Iranian threat group. With lower confidence, we suspect a group overlapping with Agent Serpens , also known as APT35 or Charming Kitten, is behind this campaign. This group is known for conducting espionage campaigns against Iranian dissidents, journalists and activists, particularly those living abroad. In this article, we will cover details of the fake website’s functionality, including the obfuscated data collection routines and the fictitious profile likely used for social engineering. Individuals and organizations, particularly those involved with Iranian activist communities, should remain vigilant for similar operations and treat unsolicited contacts cautiously before engaging. Palo Alto Networks customers are better protected through the following products and services: Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious. Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time. If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team . Related Unit 42 Topics Iran , Phishing Technical Analysis of the Fake Mega Model Agency Site While monitoring infrastructure we assess is likely tied to Iranian cyber actors, we discovered the domain megamodelstudio[.]com . This domain was registered on Feb. 18, 2025, and has resolved to 64.72.205[.]32 since March 1, 2025. This domain hosts a website impersonating the Hamburg-based Mega Model Agency , as illustrated in Figure 1. Figure 1. Fake Mega Model Agency website. This actor-created website closely replicates the actual website's branding, layout and content. However, the clone includes an obfuscated script designed to harvest detailed visitor information and potentially lure specific targets to a fictitious model’s profile. This fake website exhibits the hallmarks of social engineering attacks performed by known Iranian advanced persistent threat groups (APTs). Most notably, it appears to link to Agent Serpens, a threat actor that the security community has widely reported to perform espionage campaigns against individuals and organizations critical of the Iranian regime, including in Germany [PDF] . Upon visiting any page of the fake website, obfuscated JavaScript code runs in the victim’s browser. The likely goal of the code is to enable selective targeting by determining sufficient device- and network-specific details about visitors. The script performs the following tasks: Enumerating browser languages and plugins, retrieve screen resolution and collect timestamps to track a visitor’s locale and environment Revealing the user’s local and public IP address using WebRTC -based IP address leaking Leveraging canvas fingerprinting, using SHA-256 to produce a device-unique hash Canvas fingerprinting is a technique that uses the HTML5 canvas element to identify unique characteristics about a user’s device and generate a corresponding fingerprint Structuring the collected data (e.g., language, screen size, canvas hash) as JSON and delivering it to the endpoint /ads/track via a POST request This naming convention suggests an attempt to disguise the collection as benign advertising traffic rather than storing and processing potential target fingerprints In addition to its data collection routines, the fake website contains functionality designed to dynamically alter on-page references to a specific model and replace them with details and images of a model named “Shir Benzion.” We assess that this replacement profile is likely fictitious and part of a social engineering tactic. Attackers also inject a link to a private album into the profile for this fictitious model, though it appears to be non-functional at the time of writing. We assess that this is likely a placeholder intended for targeted social engineering attacks, potentially serving as a mechanism for harvesting credentials or delivering malware payloads. We illustrate these observations in Figures 2 and 3. Figure 2. Top: Legitimate Mega Model Agency women’s page. Bottom: Fake page with profile of a real model replaced by the fictitious “Shir Benzion” profile. Figure 3. Fictitious “Shir Benzion” profile with private album lure. The fake website’s current functionality, combined with the potential for further malicious development, indicates that this campaign is both an ongoing and evolving threat. Conclusion This operation, involving detailed visitor profiling and sophisticated impersonation tactics, demonstrates a continued escalation in suspected Iranian cyberespionage activity. Such activities present significant risks to various organizations and individuals, such as those advocating for or supporting Iranian dissidents. Individuals and organizations should treat unsolicited contacts offering seemingly appealing opportunities cautiously. People should independently verify the legitimacy of contacts, websites and offers before engaging or sharing sensitive information. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services: Advanced URL Filtering and Advanced DNS Security subscriptions for the Next-Generation Firewall identify known domains and URLs associated with this activity as malicious. Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time. If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42) UK: +44.20.3743.3660 Europe and Middle East: +31.20.299.3130 Asia: +65.6983.8730 Japan: +81.50.1790.0200 Australia: +61.2.4062.7950 India: 00080005045107 Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance . Indicators of Compromise Domain: megamodelstudio[.]com Description: The domain pointing to the website impersonating Mega Model Agency IP address: 64.72.205[.]32 Description: The IP address of the server hosting the fake Mega Model Agency website URL: hxxps://www.megamodelstudio[.]com/model Description: The URL for the main page of the fake Mega Model Agency website URL: hxxps://www.megamodelstudio[.]com/women Description: The URL for the women’s page of the fake Mega Model Agency website URL: hxxps://www.megamodelstudio[.]com/women/Shir-Benzion Description: The URL for the fictitious “Shir Benzion” profile Additional Resources [PDF] — Bundesamt für Verfassungsschutz (Federal Office for the Protection of the Constitution) Updated 6 May, 2025 at 9:49 AM PDT --> Back to top Tags Agent Serpens Germany Iran Phishing Social engineering Threat Research Center Next: Lampion Is Back With ClickFix Lures Table of Contents Related Articles Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Updated March 26) Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team Phishing on the Edge of the Web and Mobile Using QR Codes Related Malware Resources Threat Research April 8, 2026 Cracks in the Bedrock: Agent God Mode Agentcore AI agents AWS Read now Threat Research April 7, 2026 Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox Agentcore Agentcore runtime AWS Read now Threat Research April 6, 2026 Understanding Current Threats to Kubernetes Environments Audit logs Cloud Containers Read now Threat Research April 3, 2026 When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications AI Amazon Bedrock Read now High Profile Threats April 1, 2026 Threat Brief: Widespread Impact of the Axios Supply Chain Attack API attacks JavaScript Supply chain Read now High Profile Threats March 31, 2026 Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure CVE-2025-55182 GitHub Infostealer Read now Threat Research March 31, 2026 Double Agents: Exposing Security Blind Spots in GCP Vertex AI Agentic AI Data exfiltration GCP Read now High Profile Threats March 26, 2026 Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Updated March 26) APK DDoS attacks GenAI Read now Threat Actor Groups March 26, 2026 Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government CL-STA-1048 CL-STA-1049 Stately Taurus Read now Threat Research March 24, 2026 Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team Email scam Lure Phishing Read now Get updates from Unit 42 Peace of mind comes from staying ahead of threats. Subscribe today. Your Email Subscribe for email updates to all Unit 42 threat research. By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. --> Invalid captcha! Subscribe Get the latest news, invites to events, and threat alerts Enter your email now to subscribe! Sign up By submitting this form, I understand my personal data will be processed in accordance with Palo Alto Networks Privacy Statement and Terms of Use. Sign up Products and Services AI-Powered Network Security Platform Secure AI by Design Prisma AIRS AI Access Security Cloud Delivered Security Services Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Advanced DNS Security Enterprise Data Loss Prevention Enterprise IoT Security Medical IoT Security Industrial OT Security SaaS Security Next-Generation Firewalls Hardware Firewalls Software Firewalls Strata Cloud Manager SD-WAN for NGFW PAN-OS Panorama Secure Access Service Edge Prisma SASE Application Acceleration Autonomous Digital Experience Management Enterprise DLP Prisma Access Prisma Browser Prisma SD-WAN Remote Browser Isolation SaaS Security AI-Driven Security Operations Platform Cloud Security Cortex Cloud Application Security Cloud Posture Security Cloud Runtime Security Prisma Cloud AI-Driven SOC Cortex XSIAM Cortex XDR Cortex XSOAR Cortex Xpanse Unit 42 Managed Detection & Response Managed XSIAM Threat Intel and Incident Response Services Proactive Assessments Incident Response Transform Your Security Strategy Discover Threat Intelligence Company About Us Careers Contact Us Corporate Responsibility Customers Investor Relations Location Newsroom Popular Links Blog Communities Content Library Cyberpedia Event Center Manage Email Preferences Products A-Z Product Certifications Report a Vulnerability Sitemap Tech Docs Unit 42 Do Not Sell or Share My Personal Information Your browser does not support the video tag. Default Heading Read the article Seekbar Volume