Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Iran-Nexus Disseminates MarkiRAT Surveillance Tool

0
Medium
Published: 07/01/2026 (07/01/2026, 16:58:02 UTC)
Source: AlienVault OTX General

Description

TAG-182, an Iran-nexus threat cluster, is conducting surveillance operations targeting Iranian citizens both domestically and abroad using MarkiRAT malware. The group distributes fake Android applications masquerading as VPN services and media players through social media platforms, particularly Instagram. Following Iran's partial internet restoration in May 2026 after an 88-day shutdown, these surveillance activities have intensified as Iranian security apparatus seeks to monitor perceived dissidents and anti-government activists. MarkiRAT samples demonstrate tradecraft overlaps with previously documented Ferocious Kitten operations, including use of Background Intelligent Transfer Service (BITS). The group operates infrastructure across multiple autonomous systems, utilizing domains with naming conventions mimicking legitimate services like Microsoft, Google, and Facebook.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 07:21:31 UTC

Technical Analysis

The Iran-nexus threat cluster TAG-182 is deploying the MarkiRAT malware to surveil Iranian citizens both inside and outside Iran. Distribution occurs through fake Android apps masquerading as VPNs and media players, primarily via Instagram. This campaign escalated after Iran's partial internet restoration in May 2026 following an 88-day shutdown. MarkiRAT samples share operational techniques with the Ferocious Kitten group, notably leveraging Background Intelligent Transfer Service (BITS) for persistence or communication. TAG-182 operates infrastructure spanning multiple autonomous systems and uses deceptive domain names resembling major technology companies to facilitate their operations.

Potential Impact

The campaign enables persistent surveillance and monitoring of Iranian citizens, particularly dissidents and anti-government activists, potentially compromising their privacy and security. The use of fake Android apps may lead to device compromise, data exfiltration, and ongoing espionage. The threat actor's infrastructure and tradecraft sophistication indicate a sustained and targeted espionage effort.

Mitigation Recommendations

No official patches or fixes are applicable as this is a malware campaign using social engineering and fake applications. Defenders should educate users about the risks of installing unverified Android applications, especially those claiming to be VPNs or media players distributed via social media. Monitoring for and blocking domains mimicking legitimate services may help reduce exposure. There is no indication that vendor patches or cloud service mitigations apply.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.recordedfuture.com/research/nexus-tag182-disseminates-markirat","https://www.recordedfuture.com/research/media_11d60acbcd8901a8e5c5002f7f21ae6e799acee43.gif?width=1200&format=pjpg&optimize=medium"]
Adversary
TAG-182
Pulse Id
6a45471afccee96152675f88
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip46.30.191.123
ip89.144.145.237
ip45.86.162.197
ip46.30.191.105
ip89.144.145.239

Hash

ValueDescriptionCopy
hash400eb6a94810323a1fc5f8ab31c682fe765aaec2cc61b37c31d719c7e45c9a6c
hash8a7f5c8533df9e51b2da7cc2aeb52d8787418e4915577cc9288be1e46d1945c6
hash07d1db998e4dacc6777f1c854b3ab605
hashb56a18df4daf038785891f33c3e89489
hashd151ad777bcf1b3205273ab732c0fad6
hashd66de5d6dbcb6f460ae6240de8b7aab0
hashdb6bc0e947acba379e540349f74fc6ee
hash1c841649189a46806084b189f50300e36c423163
hash3fe1fcc2a21e4bab144da57ea6d0f13ddb9819e0
hash40513398ae248c87f46b13b7f9f303e05d018472
hash42c83fbfb4299202c91b3391ace6e7732f77a602
hash8179539efdb90eab355667ac7683358741c8a8ec
hash13440348516ccee839675f6ac908dd1724ce1d28f92af92fdc7938740d2b7ec5
hash51a6686b8c5ec7c610637398f3de43589f4e9fcbe8bcc0245343c5454d3b91de
hash66dcd98c6b310f4429890821e609d48cc6395a6be15ffe5a121ec68b7a8f7402
hasha4f1b79e96a7d016de1991a64506792018de99eac5df00f7cabe26ef41b2bd81
hashbb0c7ae4f12e5141480ee26f473636b07e836bb994ff3b2cfec93d4480da171b
hashcc59bf019af195dcec4394ffd7a8e23c080f4e02b12dcb7c04fb1da6671922a1
hashea755862ee81dd0d991b4afca42d8b82bb22a8f1d370bf3d28dbf2e44ab241dd
hashfa246327bed8fc5864827a8147b8b7aedb6246068259b8c97e82adb957315347
hash3c1f7d9d157c38d17a44f62b6560d3b4
hashc14dc6f17099a9505a2c303f204a4554a5cc219f
hash3b172281f65ceaee280ae810edb6fd39a1ecd25649f929f246c0405df94f4c89
hash6c74d29903bc2cc17ec4afdb1a120d2060209b22830cee2b7005f5436e86f90e
hashf7bde19f9e085650378076dabac586dcdc256e743a57890000e71a7ebb43d8ee
hash4186e41a8d6ae3b316174fc601e418b8e2a664b6

Domain

ValueDescriptionCopy
domainyemplayer.site
domainmin.comi-site.website
domainmicrosoft.comi-site.website
domaincomesignt.website
domainmin.come-site.website
domaingoogle.comisignin.online
domainaccountes.google.comesignt.website
domainaccounts.google.comisignin.online
domainmicrosoft.come-site.website
domaincomi-site.website
domaincom-accounts.website
domaincome-signin.quest
domaincomisignin.online
domainpis2ray.online
domainadmin.google.com-accounts.website
domainadmin.instagram.com-accounts.website
domainc.pis2ray.online
domaingoogle.com-accounts.website
domaingoogle.com-signin.site
domainhost.comview.website
domainmicrosoft.comesite.website
domainmicrosoft.comview.website
domainmicrosoft.pis2ray.online
domainmin.comview.website
domainmin.pis2ray.online
domainns1.com-signin.site
domainns2.com-signin.site
domainprx.pis2ray.online
domainsvpn.pis2ray.online
domainvpn.pis2ray.online
domainwebmail.com-accounts.website
domainwebmail.facebook.com-accounts.website
domainwebmail.google.com-accounts.website
domainwebmail.instagram.com-accounts.website
domainwww.facebook.com-accounts.website
domainwww.google.com-accounts.website
domainwww.instagram.com-accounts.website
domainwww.pis2ray.online
domainwww.yemplayer.site
domaincomestore.site
domaincomx-view.store
domainmigavpn.store
domainorbitx.site
domainsahar2ray.online
domainyeplayer.store
domaindownload.yeplayer.store
domainmicrosotf.come-site.website
domainmicrosotf.comi-site.website
domainmiga.comesignt.website
domainstarvpn.pis2ray.online
domaintools.sahar2ray.online
domainvip.yeplayer.store
domainwww.yeplayer.store

Url

ValueDescriptionCopy
urlhttps://vip.yeplayer.store/files/YEPlayer.rar

Threat ID: 6a460e0327e9c7971954d74a

Added to database: 07/02/2026, 07:06:43 UTC

Last enriched: 07/02/2026, 07:21:31 UTC

Last updated: 07/03/2026, 03:59:28 UTC

Views: 32

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses