Iranian Hackers Disguise as Model Agency to Exploit Victims

Cybersecurity researchers at Unit 42 uncovered a sophisticated Iranian cyber espionage campaign involving the creation of a fraudulent website impersonating the prominent Hamburg-based Mega Model Agency.

This elaborate infrastructure, hosted at megamodelstudio[.]com, has been identified as a likely operation of the Iranian advanced persistent threat group (APT) known as Agent Serpens, or APT35 (also referred to as Charming Kitten).

The attackers engineered the fake model agency not only to deceive visitors but also to conduct detailed profiling of anyone who lands on the site.

Attackers Employ Advanced Social Engineering and Data Collection

The malicious website is a convincing clone, replicating the genuine branding, content, and layout of the legitimate agency.

However, the threat actors embedded heavily obfuscated JavaScript on every page.

Once activated, this script surreptitiously collects a wide range of device-specific and network information.

The data points harvested include browser languages, screen resolutions, device fingerprints (via advanced canvas fingerprinting methods), local and public IP addresses (using WebRTC leaks), browser plugins, and precise timestamps.

The collected information is structured as JSON and exfiltrated to the attacker-controlled endpoint /ads/track using POST requests-an attempt to blend in with legitimate advertising analytics traffic and evade casual detection.

A particularly notable feature of the campaign is its use of targeted social engineering.

The fake website swaps out a real model’s profile and inserts a fabricated persona named “Shir Benzion.”

This profile features professional photos and a link to a so-called “private album.”

Although the link is non-functional at this time, researchers believe it is a placeholder for more advanced lures, potentially to be used in spear-phishing attacks that deliver malware or harvest further credentials from carefully selected targets.

Evidence Links Campaign to Iranian APT, Agent Serpens

The operational complexity displayed in this campaign, combined with its highly selective targeting, strongly suggests the involvement of an advanced Iranian APT group.

Agent Serpens/APT35 is infamous for espionage campaigns against individuals and organizations critical of the Iranian regime, particularly those in the diaspora such as dissidents, journalists, and activists.

The campaign’s infrastructure was registered and activated in early 2025, further aligning with known Iranian cyber-espionage tactics and targeting priorities.

No evidence has yet emerged of direct victim compromises or exploitation, but the infrastructure is clearly intended for use in highly targeted operations.

Most likely, initial victim contact will occur through spear-phishing emails containing links to the cloned website.

Upon engagement, the attackers could use the detailed visitor profiling to filter and target high-value individuals for more advanced phases of attack.

According to the Report, Security professionals and individuals, especially those linked to the Iranian dissident community, are strongly urged to adopt heightened vigilance and to treat unsolicited contacts related to modeling or similar recruitment schemes with caution.

All contacts and opportunities should be independently verified to prevent accidental exposure to malicious infrastructure.

Palo Alto Networks advises that customers are protected from this threat through advanced URL filtering, DNS security, and real-time exploit detection features.

Additionally, Unit 42 has shared indicators of compromise with the Cyber Threat Alliance to assist in broader industry-wide defensive measures.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates