Hackers set up a fake website impersonating a well-known German model agency to secretly collect information about people who visited it.

Who is behind this attack?

Cybersecurity experts believe the operation was carried out by Iranian state-linked hackers, possibly a group known as Agent Serpens or APT35, who are known for spying on critics of the Iranian government.

What was the goal of this attack?

The goal appears to be spying. The fake site collects detailed technical information about visitors and includes a fake model profile—likely designed to trick specific people into giving up sensitive information or downloading malware.

Although no direct victims have been confirmed yet, the attackers likely aimed at Iranian dissidents, journalists, and activists living abroad—especially in places like Germany.

How was the attack carried out?

When someone visited the fake website, hidden code secretly collected data like their IP address and browser type. It also displayed a fake model profile, possibly as bait for a future phishing or malware attack.

Why would a model agency be used in a cyberattack?

The hackers used the model agency’s name and look to appear legitimate and appealing, making it easier to trick specific targets into clicking links or engaging further.

How can people protect themselves?

Be cautious when visiting unknown websites or receiving unexpected messages with links. Always verify the identity of contacts and avoid sharing personal information or clicking suspicious links.

Is this a widespread issue?

No, this was a targeted operation, likely focusing on specific individuals of interest to the Iranian government rather than the general public. However, similar tactics may be reused in other operations.

Threats Feed|Agent Serpens|Last Updated 09/05/2025|AuthorCertfa Radar|Publish Date07/05/2025

Iranian APT Impersonates German Model Agency in Espionage Operation

Actor Motivations: Undetected
Attack Vectors: Phishing,Spear Phishing
Attack Complexity: Unknown
Threat Risk: Unknown

Threat Overview

Suspected Iranian threat actors, likely linked to APT35 (Agent Serpens), created a fraudulent website impersonating Germany’s Mega Model Agency to conduct targeted espionage. The site collects extensive visitor data—including IP addresses, browser fingerprints, and screen resolutions—using obfuscated JavaScript to enable selective targeting. A fake model profile and inactive album link suggest planned social engineering attacks. Although no victim interaction was confirmed, the infrastructure and tactics indicate preparation for spear phishing. The campaign targets dissidents, journalists, and activists abroad, especially in Germany, aligning with the group’s history of surveillance and influence operations against Iranian opposition figures.

Reference and Credit: Palo Alto Netwroks - May 2025

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation

Detected Targets

Type	Description	Confidence
Region	Germany	High

Extracted IOCs

megamodelstudio[.]com
www.megamodelstudio[.]com
64[.]72.205.32
hxxps://www.megamodelstudio[.]com/model
hxxps://www.megamodelstudio[.]com/women
hxxps://www.megamodelstudio[.]com/women/shir-benzion

download

Tip: 6 related IOCs (1 IP, 2 domain, 3 URL, 0 email, 0 file hash) to this threat have been found.

FAQs

Fake Model Site Used in Iranian Cyber Espionage Operation

: Hackers set up a fake website impersonating a well-known German model agency to secretly collect information about people who visited it.
: Cybersecurity experts believe the operation was carried out by Iranian state-linked hackers, possibly a group known as Agent Serpens or APT35, who are known for spying on critics of the Iranian government.
: The goal appears to be spying. The fake site collects detailed technical information about visitors and includes a fake model profile—likely designed to trick specific people into giving up sensitive information or downloading malware.
: Although no direct victims have been confirmed yet, the attackers likely aimed at Iranian dissidents, journalists, and activists living abroad—especially in places like Germany.
: When someone visited the fake website, hidden code secretly collected data like their IP address and browser type. It also displayed a fake model profile, possibly as bait for a future phishing or malware attack.
: The hackers used the model agency’s name and look to appear legitimate and appealing, making it easier to trick specific targets into clicking links or engaging further.
: Be cautious when visiting unknown websites or receiving unexpected messages with links. Always verify the identity of contacts and avoid sharing personal information or clicking suspicious links.
: No, this was a targeted operation, likely focusing on specific individuals of interest to the Iranian government rather than the general public. However, similar tactics may be reused in other operations.

About Affiliation

Agent Serpens