Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

    Date: 05/09/2025

    Severity: Medium

    Summary

    A suspected Iranian cyber espionage operation was discovered impersonating a German modeling agency. The attackers created a fake website that replicated the real agency’s branding and used obfuscated JavaScript to secretly collect visitor data such as IP addresses, browser fingerprints, and screen resolutions. A fake model profile with a non-functional private album link suggests preparation for targeted social engineering. While no victim interaction has been confirmed, the site may be intended for spear-phishing campaigns. The activity is likely linked to an Iranian threat group, possibly APT35 (Charming Kitten), known for targeting Iranian dissidents, journalists, and activists abroad.

    Indicators of Compromise (IOC) List

    URL/Domain

    megamodelstudio.com
    https://www.megamodelstudio.com/model

    https://www.megamodelstudio.com/women

    https://www.megamodelstudio.com/women/Shir-Benzion

    IP Address

    64.72.205.32

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1

    domainname like "https://www.megamodelstudio.com/women" or siteurl like "https://www.megamodelstudio.com/women" or url like "https://www.megamodelstudio.com/women" or domainname like "https://www.megamodelstudio.com/model" or siteurl like "https://www.megamodelstudio.com/model" or url like "https://www.megamodelstudio.com/model" or domainname like "https://www.megamodelstudio.com/women/Shir-Benzion" or siteurl like "https://www.megamodelstudio.com/women/Shir-Benzion" or url like "https://www.megamodelstudio.com/women/Shir-Benzion" or domainname like "megamodelstudio.com" or siteurl like "megamodelstudio.com" or url like "megamodelstudio.com"

    Detection Query 2

    dstipaddress IN ("64.72.205.32") or ipaddress IN ("64.72.205.32") or srcipaddress IN ("64.72.205.32")

    Reference:  

    https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/


    Tags

    Threat ActorSocial EngineeringAPTAPT35Charming KittenIranCyber espionage

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags