Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Spies Maintained Social Media Persona for Years Before Targeting Defense Contractor

An Iranian state-sponsored threat actor tracked as TA456 maintained a social media account for several years before engaging with their intended victim, cybersecurity firm Proofpoint reports.

An Iranian state-sponsored threat actor tracked as TA456 maintained a social media account for several years before engaging with their intended victim, cybersecurity firm Proofpoint reports.

TA456 is known for conducting espionage operations against defense industrial base employees and contractors, mainly those associated with the Middle East. The adversary is believed to be associated with the Iranian company Mahak Rayan Afraz (MRA), which would also link it to the Islamic Revolutionary Guard Corps (IRGC).

The newly detailed activity attributed to the group involved the use of the social media persona “Marcella Flores,” which was used to engage with an employee of a subsidiary of an aerospace defense contractor over multiple communication platforms, to gain their trust in an attempt to infect them with malware.

The adversary maintained the online persona for several years, uploading the first photo to the Marcella Flores Facebook profile in 2018 and befriending the intended victim in 2019, if not before.

Proofpoint’s analysis revealed that TA456 engaged in conversations with the targeted employee in November 2020 and that it had actively maintained the discussion with the victim over corporate and personal communication platforms, including email.

In early June 2021, the threat actor delivered a malicious email to the victim, in an attempt to infect them with LEMPO, an updated version of Liderc, a piece of malware previously associated with the Iran-linked threat actor known as Tortoiseshell.

LEMPO, Proofpoint explains, is a Visual Basic script designed for reconnaissance. It can enumerate the host, collect data (date and time, computer name, system information, drives, installed applications, and user details), and exfiltrate it to an attacker-controlled email account using Microsoft’s Collaboration Data Objects (CDO).

The Marcella Flores persona employed in this campaign showed similarities with other fictitious profiles that known Iran-linked threat actors have used in operations targeting individuals of interest. Using Marcella’s persona, the adversary befriended several defense contractor employees.

On July 15, Facebook announced that it took action against Tortoiseshell. The Marcella Flores persona was removed from the social media platform at that time. According to Proofpoint, while TA456’s activity overlaps Tortoiseshell and Imperial Kitten operations, the adversary should be tracked separately.

“This campaign exemplifies the persistent nature of certain state aligned threats and the human engagement they are willing to conduct in support of espionage operations. […] TA456’s dedication to significant social engineering engagement, benign reconnaissance of targets prior to deploying malware, and their cross platform kill chain establish TA456 to be one of the most resourceful Iranian-aligned threats,” Proofpoint notes.

Related: Kaspersky Details Iranian Domestic Cyber-Surveillance Operation

Related: US Takes Down Iran-linked News Sites, Alleges Disinformation

Related: Iran Used Fake Instagram Accounts to Try to Nab Israelis: Spy Agencies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...