Hackers with ties to the Iranian government posed for years as a glamorous Liverpool-based aerobics instructor in order to install malware on the machine of an employee of the US aerospace defense contractor, cybersecurity firm Proofpoint revealed.

In a new report the researchers said they discovered “a years-long social engineering and targeted malware campaign by the Iranian-state aligned threat actor TA456,” also known as Tortoiseshell.

“Using the social media persona “Marcella Flores,” TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor. In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain,” Proofpoint said.

“Proofpoint data shows that over at least eight months, “Marcella (Marcy) Flores” sent TA456’s target benign email messages, photographs, and a video to establish her veracity and build rapport with the intended victim. At one time, TA456 attempted to send a benign, but flirtatious video via a OneDrive URL. In early June, a TA456 actor self-identified as “Marcy” sent another OneDrive link, this time masquerading as a diet survey.”

Upon infecting the computer, the malware, which was dubbed ‘LEMPO’ by the researchers, establishes persistence and then performs reconnaissance on the machine, extracting sensitive information, which is then sent to an actor-controlled email account via SMTPS. Lastly, the malware covers its tracks by deleting that day’s host artifacts.

Facebook has since removed the Flores account from its platform in a coordinated takedown of users linked to Iranian hacker activity. Earlier this month, Facebook said it dismantled a cyberespionage campaign it attributed to Tortoiseshell targeting military personnel and companies in the defense and aerospace sectors in the U.S., U.K., and Europe using a network of fake online personas.

Tortoiseshell is believed to be loosely aligned with the Islamic Revolutionary Guard Corps (IRGC) via association with the Iranian company Mahak Rayan Afraz (MRA), according to Facebook’s analysis.

“TA456’s dedication to significant social engineering engagement, benign reconnaissance of targets prior to deploying malware, and their cross platform kill chain establish TA456 to be one of the most resourceful Iranian-aligned threats tracked by Proofpoint. The “Marcella Flores” persona is likely not the only one in use by TA456, making it important for those working within or tangentially to the defense industrial base to be vigilant when engaging with unknown individuals regardless of whether it is via work or personal accounts,” Proofpoint said.