Connect with us

Hi, what are you looking for?



Iranian Spies Maintained Social Media Persona for Years Before Targeting Defense Contractor

An Iranian state-sponsored threat actor tracked as TA456 maintained a social media account for several years before engaging with their intended victim, cybersecurity firm Proofpoint reports.

An Iranian state-sponsored threat actor tracked as TA456 maintained a social media account for several years before engaging with their intended victim, cybersecurity firm Proofpoint reports.

TA456 is known for conducting espionage operations against defense industrial base employees and contractors, mainly those associated with the Middle East. The adversary is believed to be associated with the Iranian company Mahak Rayan Afraz (MRA), which would also link it to the Islamic Revolutionary Guard Corps (IRGC).

The newly detailed activity attributed to the group involved the use of the social media persona “Marcella Flores,” which was used to engage with an employee of a subsidiary of an aerospace defense contractor over multiple communication platforms, to gain their trust in an attempt to infect them with malware.

The adversary maintained the online persona for several years, uploading the first photo to the Marcella Flores Facebook profile in 2018 and befriending the intended victim in 2019, if not before.

Proofpoint’s analysis revealed that TA456 engaged in conversations with the targeted employee in November 2020 and that it had actively maintained the discussion with the victim over corporate and personal communication platforms, including email.

In early June 2021, the threat actor delivered a malicious email to the victim, in an attempt to infect them with LEMPO, an updated version of Liderc, a piece of malware previously associated with the Iran-linked threat actor known as Tortoiseshell.

LEMPO, Proofpoint explains, is a Visual Basic script designed for reconnaissance. It can enumerate the host, collect data (date and time, computer name, system information, drives, installed applications, and user details), and exfiltrate it to an attacker-controlled email account using Microsoft’s Collaboration Data Objects (CDO).

The Marcella Flores persona employed in this campaign showed similarities with other fictitious profiles that known Iran-linked threat actors have used in operations targeting individuals of interest. Using Marcella’s persona, the adversary befriended several defense contractor employees.

Advertisement. Scroll to continue reading.

On July 15, Facebook announced that it took action against Tortoiseshell. The Marcella Flores persona was removed from the social media platform at that time. According to Proofpoint, while TA456’s activity overlaps Tortoiseshell and Imperial Kitten operations, the adversary should be tracked separately.

“This campaign exemplifies the persistent nature of certain state aligned threats and the human engagement they are willing to conduct in support of espionage operations. […] TA456’s dedication to significant social engineering engagement, benign reconnaissance of targets prior to deploying malware, and their cross platform kill chain establish TA456 to be one of the most resourceful Iranian-aligned threats,” Proofpoint notes.

Related: Kaspersky Details Iranian Domestic Cyber-Surveillance Operation

Related: US Takes Down Iran-linked News Sites, Alleges Disinformation

Related: Iran Used Fake Instagram Accounts to Try to Nab Israelis: Spy Agencies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...