Research team Unit 42 at cybersecurity firm Palo Alto Networks has exposed an Iranian cyberespionage campaign that employed a fake website. The site was initially copied from the real German modeling agency Mega Model Agency.
The fraudulent site concealed JavaScript code that collected visitors’ browser data, including language settings, screen resolution, IP addresses and the browser’s digital fingerprint. The JavaScript was obfuscated to make it unreadable to humans and harder to detect.
The attackers also posted a bogus profile on the site for a model named Shir Benzion, with a link to a supposed “private album.” This was likely an attempt to trick visitors into revealing information or downloading malicious code.
Unit 42 attributes the campaign to the Iranian threat actor Agent Serpens (also known as APT35 or Charming Kitten). This group conducts long-term, resource-intensive cyberespionage operations and is believed to act on behalf of the Islamic Revolutionary Guard Corps in Iran. The same actor has previously targeted Iranian dissidents, journalists and activists living in exile.
The operation highlights a continuing uptick in suspected Iranian cyberespionage, characterized by detailed visitor profiling and sophisticated deception techniques. Such activity poses significant risks to organizations and individuals who advocate for or support the Iranian opposition.
To protect themselves, Unit 42 advises exercising caution when receiving unsolicited contacts that offer seemingly attractive opportunities. Before responding or sharing sensitive information, verify the identity and authenticity of contacts, websites and offers.