Ddos 
Recently, researchers at Palo Alto Networks’ Unit 42 have uncovered a covert Iranian cyber-espionage campaign that employed a fake modeling agency website to selectively target victims using sophisticated social engineering and browser fingerprinting techniques.
The operation, attributed with high confidence to an Iranian threat group and suspected with lower confidence to be Agent Serpens (also known as APT35 or Charming Kitten), impersonated Germany’s Mega Model Agency through a fraudulent clone website hosted at megamodelstudio[.]com.
“This infrastructure hosted a fraudulent website designed to mimic the authentic agency’s branding and content,” the report explains. “Visitors unknowingly triggered obfuscated JavaScript designed to capture detailed visitor information, such as browser languages, screen resolutions, IP addresses, and browser fingerprints.”
The cloned site faithfully replicated the real Mega Model Agency’s layout and images, but with one insidious twist: it dynamically replaced a legitimate model’s profile with a fictitious persona named “Shir Benzion.” This fabricated profile included a non-functional private album link, which Unit 42 believes was likely intended to harvest credentials or deliver malware payloads in future stages.
“This replacement profile is likely fictitious and part of a social engineering tactic,” wrote Unit 42. “The attackers also inject a link to a private album…likely a placeholder for targeted social engineering attacks.”
Perhaps the most alarming element of the campaign was its use of obfuscated JavaScript to fingerprint visitors. Once a user accessed any page on the fake website, a hidden script silently collected a broad set of metadata to enable selective targeting. These data points included:
- Browser language and plugin enumeration
- Screen resolution and timestamps
- WebRTC-based IP address discovery (both local and public)
- Canvas fingerprinting using SHA-256 hashes for uniquely identifying devices
This data was then structured in JSON format and sent via a POST request to a disguised endpoint: /ads/track.
“This naming convention suggests an attempt to disguise the collection as benign advertising traffic,” the report noted.
Unit 42 emphasized that while no direct victim interaction has been observed yet, the level of preparation suggests the site may have been used in spear-phishing campaigns. The campaign aligns with known tactics used by Agent Serpens, a group widely recognized for espionage operations targeting Iranian dissidents, activists, and journalists abroad.
“The operation’s complexity, methods and targeting lead us to believe with high confidence that these are the actions of an Iranian threat group,” the researchers concluded.
Donate