An Iranian state-sponsored threat actor tracked as TA456 maintained a social media account for several years before engaging with their intended victim, cybersecurity firm Proofpoint reports.
TA456 is known for conducting espionage operations against defense industrial base employees and contractors, mainly those associated with the Middle East. The adversary is believed to be associated with the Iranian company Mahak Rayan Afraz (MRA), which would also link it to the Islamic Revolutionary Guard Corps (IRGC).
The newly detailed activity attributed to the group involved the use of the social media persona “Marcella Flores,” which was used to engage with an employee of a subsidiary of an aerospace defense contractor over multiple communication platforms, to gain their trust in an attempt to infect them with malware.
The adversary maintained the online persona for several years, uploading the first photo to the Marcella Flores Facebook profile in 2018 and befriending the intended victim in 2019, if not before.
Proofpoint’s analysis revealed that TA456 engaged in conversations with the targeted employee in November 2020 and that it had actively maintained the discussion with the victim over corporate and personal communication platforms, including email.
In early June 2021, the threat actor delivered a malicious email to the victim, in an attempt to infect them with LEMPO, an updated version of Liderc, a piece of malware previously associated with the Iran-linked threat actor known as Tortoiseshell.
LEMPO, Proofpoint explains, is a Visual Basic script designed for reconnaissance. It can enumerate the host, collect data (date and time, computer name, system information, drives, installed applications, and user details), and exfiltrate it to an attacker-controlled email account using Microsoft’s Collaboration Data Objects (CDO).
The Marcella Flores persona employed in this campaign showed similarities with other fictitious profiles that known Iran-linked threat actors have used in operations targeting individuals of interest. Using Marcella’s persona, the adversary befriended several defense contractor employees.
On July 15, Facebook announced that it took action against Tortoiseshell. The Marcella Flores persona was removed from the social media platform at that time. According to Proofpoint, while TA456’s activity overlaps Tortoiseshell and Imperial Kitten operations, the adversary should be tracked separately.
“This campaign exemplifies the persistent nature of certain state aligned threats and the human engagement they are willing to conduct in support of espionage operations. […] TA456’s dedication to significant social engineering engagement, benign reconnaissance of targets prior to deploying malware, and their cross platform kill chain establish TA456 to be one of the most resourceful Iranian-aligned threats,” Proofpoint notes.
Related: Kaspersky Details Iranian Domestic Cyber-Surveillance Operation
Related: US Takes Down Iran-linked News Sites, Alleges Disinformation
Related: Iran Used Fake Instagram Accounts to Try to Nab Israelis: Spy Agencies

More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
