Unit 42, the threat intelligence arm of Palo Alto Networks, has exposed a covert operation likely orchestrated by Iranian cyber actors.
The campaign involves a fraudulent website, megamodelstudio[.]com, meticulously designed to impersonate the Hamburg-based Mega Model Agency.
Cyberespionage Campaign Uncovered
Registered on February 18, 2025, and hosted at IP address 64.72.205[.]32 since March 1, 2025, this deceptive site replicates the legitimate agency’s branding and content to lure unsuspecting visitors.
.png
)
Beyond mere imitation, the site embeds malicious JavaScript code aimed at harvesting detailed visitor data, signaling a sophisticated social engineering and espionage effort.
With high confidence, Unit 42 attributes this activity to an Iranian threat group, potentially overlapping with Agent Serpens (also known as APT35 or Charming Kitten), a group notorious for targeting Iranian dissidents, journalists, and activists abroad.
Technical Intricacies of the Attack Mechanism
Delving into the technical underpinnings, the fake website executes obfuscated JavaScript upon a visitor’s arrival, capturing an array of identifiable information such as browser languages, screen resolutions, IP addresses via WebRTC leaks, and unique device fingerprints using canvas fingerprinting with SHA-256 hashing.
This data, structured in JSON format, is covertly transmitted to an endpoint labeled /ads/track via POST requests, masquerading as benign advertising traffic to evade detection.
Additionally, the site dynamically alters content to feature a fictitious model profile named “Shir Benzion,” replacing a real model’s details and embedding a currently inactive link to a private album.
This setup suggests preparation for targeted social engineering, potentially aiming to harvest credentials or deliver malware to specific victims.
While direct victim interaction has not yet been observed, the infrastructure hints at spear-phishing as a likely delivery mechanism, aligning with tactics historically associated with Agent Serpens.
The operation’s complexity underscores an evolving threat landscape, posing significant risks to individuals and organizations, particularly those connected to Iranian activist communities.
According to the Report, Unit 42 advises heightened vigilance, urging users to independently verify unsolicited contacts or appealing offers before engaging or sharing sensitive information.
For Palo Alto Networks customers, protections are fortified through Advanced URL Filtering, Advanced DNS Security, and Advanced Threat Prevention, which employ machine learning to detect and block malicious domains and exploits in real time.
Those suspecting compromise are encouraged to contact the Unit 42 Incident Response team for immediate assistance.
This campaign exemplifies the persistent and escalating nature of Iranian cyberespionage, leveraging detailed visitor profiling and impersonation tactics to target vulnerable populations with precision.
Indicators of Compromise (IoC)
| Indicator | Type | Description |
|---|---|---|
| megamodelstudio[.]com | Domain | Domain hosting the fake Mega Model Agency website |
| 64.72.205[.]32 | IP Address | Server IP hosting the fraudulent website |
| hxxps://www.megamodelstudio[.]com/model | URL | Main page of the fake website |
| hxxps://www.megamodelstudio[.]com/women | URL | Women’s page of the fake website |
| hxxps://www.megamodelstudio[.]com/women/Shir-Benzion | URL | Fictitious “Shir Benzion” profile page |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
