A cyberespionage group based in Iran has been disguising itself as an aerobics instructor on Facebook. This social engineering campaign was ongoing for almost a year and tried to deliver malware. All this was done to infect the targeted system of an employee of an aerospace defense contractor.

What happened?

Cybersecurity firm Proofpoint has linked this covert operation to a state-sponsored threat actor, TA456. This group is also known by other names such as Tortoiseshell and Imperial Kitten in the security community.
  • Attackers impersonated media persona 'Marcella Flores,' to develop a relationship (using corporate communication platforms) with an employee working in a subsidiary firm of an aerospace defense contractor.
  • In early June, the attacker tried to utilize this relationship by sending a targeted malware, Lempo, via an ongoing email communication chain.
  • The malware can be used to establish persistence, gather sensitive information, and conduct reconnaissance.
  • In the recent campaign, the attack chain was started by an email message laden with OneDrive URL that claimed to be a diet survey. It contained a macro-embedded Excel document to retrieve the reconnaissance tool from a domain controlled by the attacker.
  • Attackers are believed to be inexplicitly aligned with the Islamic Revolutionary Guard Corps (IRGC). In addition to this, the group is suspected to be associated with the Iranian IT firm Mahak Rayan Afraz (MRA).

Past incidents

The ongoing campaign is not entirely a new initiative by the attackers. The fake persona has been in use since 2019.
  • Last month, Facebook took several steps to dismantle a cyber-espionage campaign undertaken by Tortoiseshell targeting about 200 military personnel and companies in the defense and aerospace sectors.
  • Most of these targeted attacks were aimed at individuals based in the U.S., the U.K, and Europe by employing a vast network of fake online personas on its platform.


TA456 has shown a clear interest in the defense industry. Moreover, the group has shown its dedication by building a relationship with an employee over years to deploy the malware. Such dedicated attack efforts are not easy to dodge for any organization. This requires an equal or rather greater effort and awareness to stay protected from such espionage operations.

Cyware Publisher