Iranian APT Poses as German Modeling Agency in Sophisticated Cyber Espionage Plot

A Deep Dive into a Deceptive Campaign Targeting Dissidents and Activists Through Social Engineering

In an alarming revelation from Palo Alto Networks’ Unit 42, cybersecurity experts have exposed a cunning Iranian cyber-espionage campaign built around a fake modeling agency. This operation impersonates Germany’s renowned Mega Model Agency through a meticulously crafted website — megamodelstudio[.]com — and appears to be orchestrated by the Iranian-linked advanced persistent threat (APT) group known as Agent Serpens, also called APT35 or Charming Kitten.

Far from a typical phishing scam, this campaign represents a calculated move to gather intelligence on specific individuals, particularly those in the Iranian diaspora, including journalists, activists, and dissidents. Using a combination of cloned website aesthetics and advanced JavaScript tracking techniques, the attackers have created a highly persuasive trap for unsuspecting targets.

The website doesn’t just look real — it behaves like a honeypot, silently collecting vast amounts of data from visitors. The introduction of a fabricated model named “Shir Benzion” adds a personal touch to lure targets further into the operation. While the so-called private album linked on her profile doesn’t currently function, it may be a future component in a broader phishing and malware distribution strategy.

Security researchers are sounding the alarm, advising individuals to be extremely wary of unsolicited communications related to modeling or media opportunities. Meanwhile, cyber defense mechanisms and coordinated intelligence sharing are helping limit the damage and raise awareness across the security community.

Key Details from the Investigation (Digest – )

Fake Domain Identified: The fraudulent website megamodelstudio[.]com was built to impersonate Germany’s real Mega Model Agency.
Tied to Iranian APT: The operation is attributed to Agent Serpens/APT35, a known Iranian cyber-espionage group.
Technical Setup: The website replicates legitimate branding and includes obfuscated JavaScript on every page.
Advanced Tracking: The embedded code gathers data such as device fingerprints, IP addresses, screen resolution, browser plugins, and more.
Data Exfiltration Method: All harvested data is structured in JSON and sent to the endpoint /ads/track using POST requests.
Blending with Normal Traffic: The use of POST for data exfiltration helps the attack blend into typical ad analytics activity.
Engineered Persona: A fake model profile named “Shir Benzion” appears on the site, complete with photos and a link to a non-functional “private album.”
Potential Malware Hook: Researchers suspect the album could later be used for malware delivery or further phishing.
Timing: The domain was registered and activated in early 2025.
Targeted Campaign: No known mass infections — the infrastructure is designed for high-value, selective targeting.
Likely Attack Vector: Initial contact is expected through spear-phishing emails directing users to the cloned site.
Strategic Intelligence Gathering: The detailed profiling suggests attackers will filter visitors to find VIP targets.
Political Agenda: The operation aligns with Iran’s digital targeting of opposition figures and critics.
Palo Alto Defense: Customers using Palo Alto Networks benefit from advanced protections including URL filtering and real-time exploit detection.
Industry Response: Unit 42 has shared IOCs with the Cyber Threat Alliance for collective cybersecurity measures.
Deceptive Visual Design: The cloned layout mirrors the legitimate Mega Model Agency with alarming accuracy.
Obfuscated Code Tactics: JavaScript is deliberately complex to avoid detection by automated scanners.
Victim Profile Types: Likely targets include journalists, activists, academics, and other politically exposed individuals.
Privacy Risks: Harvested data could be used to build detailed personal dossiers.
Reputation Exploitation: The attackers leverage the fame and legitimacy of a known brand to disarm suspicion.
No Malware Yet: No malware was found active on the fake site at the time of discovery — suggesting it’s a staging phase.
Social Engineering Role: The “model agency” approach taps into themes of glamour and opportunity to entice interaction.
Digital Fingerprinting: The site performs fingerprinting through HTML5 canvas and WebRTC-based IP leakage.
Resilience Through Cloaking: Use of ad-style data transmission improves stealth and avoids casual traffic monitoring.
Indicators Shared: Unit 42 disclosed the key IOCs, including domains and IPs, to help defenders stay ahead.
Call for Vigilance: Iranian dissidents are urged to independently verify all modeling or media-related outreach.
Link Spoofing Risks: Targets could be manipulated into clicking on links that resemble legitimate recruitment pages.
Attack Goals: Not direct sabotage but slow infiltration and data accumulation on political targets.
Public Awareness Critical: Knowledge of such tactics is a major deterrent to falling for them.
Security Community’s Role: Collective action through information sharing is vital to blocking similar threats.