Date: 05/09/2025
Severity: Medium
Summary
A suspected Iranian cyber espionage operation was discovered impersonating a German modeling agency. The attackers created a fake website that replicated the real agency’s branding and used obfuscated JavaScript to secretly collect visitor data such as IP addresses, browser fingerprints, and screen resolutions. A fake model profile with a non-functional private album link suggests preparation for targeted social engineering. While no victim interaction has been confirmed, the site may be intended for spear-phishing campaigns. The activity is likely linked to an Iranian threat group, possibly APT35 (Charming Kitten), known for targeting Iranian dissidents, journalists, and activists abroad.
Indicators of Compromise (IOC) List
URL/Domain | megamodelstudio.com
https://www.megamodelstudio.com/model https://www.megamodelstudio.com/women https://www.megamodelstudio.com/women/Shir-Benzion |
IP Address | 64.72.205.32 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | domainname like "https://www.megamodelstudio.com/women" or siteurl like "https://www.megamodelstudio.com/women" or url like "https://www.megamodelstudio.com/women" or domainname like "https://www.megamodelstudio.com/model" or siteurl like "https://www.megamodelstudio.com/model" or url like "https://www.megamodelstudio.com/model" or domainname like "https://www.megamodelstudio.com/women/Shir-Benzion" or siteurl like "https://www.megamodelstudio.com/women/Shir-Benzion" or url like "https://www.megamodelstudio.com/women/Shir-Benzion" or domainname like "megamodelstudio.com" or siteurl like "megamodelstudio.com" or url like "megamodelstudio.com" |
Detection Query 2 | dstipaddress IN ("64.72.205.32") or ipaddress IN ("64.72.205.32") or srcipaddress IN ("64.72.205.32") |
Reference:
https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/