Iran-Nexus Disseminates MarkiRAT Surveillance Tool
TAG-182, an Iran-nexus threat cluster, is conducting surveillance operations targeting Iranian citizens both domestically and abroad using MarkiRAT malware. The group distributes fake Android applications masquerading as VPN services and media players through social media platforms, particularly Instagram. Following Iran's partial internet restoration in May 2026 after an 88-day shutdown, these surveillance activities have intensified as Iranian security apparatus seeks to monitor perceived dissidents and anti-government activists. MarkiRAT samples demonstrate tradecraft overlaps with previously documented Ferocious Kitten operations, including use of Background Intelligent Transfer Service (BITS). The group operates infrastructure across multiple autonomous systems, utilizing domains with naming conventions mimicking legitimate services like Microsoft, Google, and Facebook.
AI Analysis
Technical Summary
The Iran-nexus threat cluster TAG-182 is deploying the MarkiRAT malware to surveil Iranian citizens both inside and outside Iran. Distribution occurs through fake Android apps masquerading as VPNs and media players, primarily via Instagram. This campaign escalated after Iran's partial internet restoration in May 2026 following an 88-day shutdown. MarkiRAT samples share operational techniques with the Ferocious Kitten group, notably leveraging Background Intelligent Transfer Service (BITS) for persistence or communication. TAG-182 operates infrastructure spanning multiple autonomous systems and uses deceptive domain names resembling major technology companies to facilitate their operations.
Potential Impact
The campaign enables persistent surveillance and monitoring of Iranian citizens, particularly dissidents and anti-government activists, potentially compromising their privacy and security. The use of fake Android apps may lead to device compromise, data exfiltration, and ongoing espionage. The threat actor's infrastructure and tradecraft sophistication indicate a sustained and targeted espionage effort.
Mitigation Recommendations
No official patches or fixes are applicable as this is a malware campaign using social engineering and fake applications. Defenders should educate users about the risks of installing unverified Android applications, especially those claiming to be VPNs or media players distributed via social media. Monitoring for and blocking domains mimicking legitimate services may help reduce exposure. There is no indication that vendor patches or cloud service mitigations apply.
Indicators of Compromise
- ip: 46.30.191.123
- hash: 400eb6a94810323a1fc5f8ab31c682fe765aaec2cc61b37c31d719c7e45c9a6c
- domain: yemplayer.site
- domain: min.comi-site.website
- domain: microsoft.comi-site.website
- domain: comesignt.website
- domain: min.come-site.website
- domain: google.comisignin.online
- domain: accountes.google.comesignt.website
- domain: accounts.google.comisignin.online
- domain: microsoft.come-site.website
- domain: comi-site.website
- hash: 8a7f5c8533df9e51b2da7cc2aeb52d8787418e4915577cc9288be1e46d1945c6
- hash: 07d1db998e4dacc6777f1c854b3ab605
- hash: b56a18df4daf038785891f33c3e89489
- hash: d151ad777bcf1b3205273ab732c0fad6
- hash: d66de5d6dbcb6f460ae6240de8b7aab0
- hash: db6bc0e947acba379e540349f74fc6ee
- hash: 1c841649189a46806084b189f50300e36c423163
- hash: 3fe1fcc2a21e4bab144da57ea6d0f13ddb9819e0
- hash: 40513398ae248c87f46b13b7f9f303e05d018472
- hash: 42c83fbfb4299202c91b3391ace6e7732f77a602
- hash: 8179539efdb90eab355667ac7683358741c8a8ec
- hash: 13440348516ccee839675f6ac908dd1724ce1d28f92af92fdc7938740d2b7ec5
- hash: 51a6686b8c5ec7c610637398f3de43589f4e9fcbe8bcc0245343c5454d3b91de
- hash: 66dcd98c6b310f4429890821e609d48cc6395a6be15ffe5a121ec68b7a8f7402
- hash: a4f1b79e96a7d016de1991a64506792018de99eac5df00f7cabe26ef41b2bd81
- hash: bb0c7ae4f12e5141480ee26f473636b07e836bb994ff3b2cfec93d4480da171b
- hash: cc59bf019af195dcec4394ffd7a8e23c080f4e02b12dcb7c04fb1da6671922a1
- hash: ea755862ee81dd0d991b4afca42d8b82bb22a8f1d370bf3d28dbf2e44ab241dd
- hash: fa246327bed8fc5864827a8147b8b7aedb6246068259b8c97e82adb957315347
- ip: 89.144.145.237
- domain: com-accounts.website
- domain: come-signin.quest
- domain: comisignin.online
- domain: pis2ray.online
- domain: admin.google.com-accounts.website
- domain: admin.instagram.com-accounts.website
- domain: c.pis2ray.online
- domain: google.com-accounts.website
- domain: google.com-signin.site
- domain: host.comview.website
- domain: microsoft.comesite.website
- domain: microsoft.comview.website
- domain: microsoft.pis2ray.online
- domain: min.comview.website
- domain: min.pis2ray.online
- domain: ns1.com-signin.site
- domain: ns2.com-signin.site
- domain: prx.pis2ray.online
- domain: svpn.pis2ray.online
- domain: vpn.pis2ray.online
- domain: webmail.com-accounts.website
- domain: webmail.facebook.com-accounts.website
- domain: webmail.google.com-accounts.website
- domain: webmail.instagram.com-accounts.website
- domain: www.facebook.com-accounts.website
- domain: www.google.com-accounts.website
- domain: www.instagram.com-accounts.website
- domain: www.pis2ray.online
- domain: www.yemplayer.site
- hash: 3c1f7d9d157c38d17a44f62b6560d3b4
- hash: c14dc6f17099a9505a2c303f204a4554a5cc219f
- hash: 3b172281f65ceaee280ae810edb6fd39a1ecd25649f929f246c0405df94f4c89
- hash: 6c74d29903bc2cc17ec4afdb1a120d2060209b22830cee2b7005f5436e86f90e
- hash: f7bde19f9e085650378076dabac586dcdc256e743a57890000e71a7ebb43d8ee
- ip: 45.86.162.197
- ip: 46.30.191.105
- ip: 89.144.145.239
- url: https://vip.yeplayer.store/files/YEPlayer.rar
- hash: 4186e41a8d6ae3b316174fc601e418b8e2a664b6
- domain: comestore.site
- domain: comx-view.store
- domain: migavpn.store
- domain: orbitx.site
- domain: sahar2ray.online
- domain: yeplayer.store
- domain: download.yeplayer.store
- domain: microsotf.come-site.website
- domain: microsotf.comi-site.website
- domain: miga.comesignt.website
- domain: starvpn.pis2ray.online
- domain: tools.sahar2ray.online
- domain: vip.yeplayer.store
- domain: www.yeplayer.store
Iran-Nexus Disseminates MarkiRAT Surveillance Tool
Description
TAG-182, an Iran-nexus threat cluster, is conducting surveillance operations targeting Iranian citizens both domestically and abroad using MarkiRAT malware. The group distributes fake Android applications masquerading as VPN services and media players through social media platforms, particularly Instagram. Following Iran's partial internet restoration in May 2026 after an 88-day shutdown, these surveillance activities have intensified as Iranian security apparatus seeks to monitor perceived dissidents and anti-government activists. MarkiRAT samples demonstrate tradecraft overlaps with previously documented Ferocious Kitten operations, including use of Background Intelligent Transfer Service (BITS). The group operates infrastructure across multiple autonomous systems, utilizing domains with naming conventions mimicking legitimate services like Microsoft, Google, and Facebook.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Iran-nexus threat cluster TAG-182 is deploying the MarkiRAT malware to surveil Iranian citizens both inside and outside Iran. Distribution occurs through fake Android apps masquerading as VPNs and media players, primarily via Instagram. This campaign escalated after Iran's partial internet restoration in May 2026 following an 88-day shutdown. MarkiRAT samples share operational techniques with the Ferocious Kitten group, notably leveraging Background Intelligent Transfer Service (BITS) for persistence or communication. TAG-182 operates infrastructure spanning multiple autonomous systems and uses deceptive domain names resembling major technology companies to facilitate their operations.
Potential Impact
The campaign enables persistent surveillance and monitoring of Iranian citizens, particularly dissidents and anti-government activists, potentially compromising their privacy and security. The use of fake Android apps may lead to device compromise, data exfiltration, and ongoing espionage. The threat actor's infrastructure and tradecraft sophistication indicate a sustained and targeted espionage effort.
Mitigation Recommendations
No official patches or fixes are applicable as this is a malware campaign using social engineering and fake applications. Defenders should educate users about the risks of installing unverified Android applications, especially those claiming to be VPNs or media players distributed via social media. Monitoring for and blocking domains mimicking legitimate services may help reduce exposure. There is no indication that vendor patches or cloud service mitigations apply.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.recordedfuture.com/research/nexus-tag182-disseminates-markirat","https://www.recordedfuture.com/research/media_11d60acbcd8901a8e5c5002f7f21ae6e799acee43.gif?width=1200&format=pjpg&optimize=medium"]
- Adversary
- TAG-182
- Pulse Id
- 6a45471afccee96152675f88
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip46.30.191.123 | — | |
ip89.144.145.237 | — | |
ip45.86.162.197 | — | |
ip46.30.191.105 | — | |
ip89.144.145.239 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash400eb6a94810323a1fc5f8ab31c682fe765aaec2cc61b37c31d719c7e45c9a6c | — | |
hash8a7f5c8533df9e51b2da7cc2aeb52d8787418e4915577cc9288be1e46d1945c6 | — | |
hash07d1db998e4dacc6777f1c854b3ab605 | — | |
hashb56a18df4daf038785891f33c3e89489 | — | |
hashd151ad777bcf1b3205273ab732c0fad6 | — | |
hashd66de5d6dbcb6f460ae6240de8b7aab0 | — | |
hashdb6bc0e947acba379e540349f74fc6ee | — | |
hash1c841649189a46806084b189f50300e36c423163 | — | |
hash3fe1fcc2a21e4bab144da57ea6d0f13ddb9819e0 | — | |
hash40513398ae248c87f46b13b7f9f303e05d018472 | — | |
hash42c83fbfb4299202c91b3391ace6e7732f77a602 | — | |
hash8179539efdb90eab355667ac7683358741c8a8ec | — | |
hash13440348516ccee839675f6ac908dd1724ce1d28f92af92fdc7938740d2b7ec5 | — | |
hash51a6686b8c5ec7c610637398f3de43589f4e9fcbe8bcc0245343c5454d3b91de | — | |
hash66dcd98c6b310f4429890821e609d48cc6395a6be15ffe5a121ec68b7a8f7402 | — | |
hasha4f1b79e96a7d016de1991a64506792018de99eac5df00f7cabe26ef41b2bd81 | — | |
hashbb0c7ae4f12e5141480ee26f473636b07e836bb994ff3b2cfec93d4480da171b | — | |
hashcc59bf019af195dcec4394ffd7a8e23c080f4e02b12dcb7c04fb1da6671922a1 | — | |
hashea755862ee81dd0d991b4afca42d8b82bb22a8f1d370bf3d28dbf2e44ab241dd | — | |
hashfa246327bed8fc5864827a8147b8b7aedb6246068259b8c97e82adb957315347 | — | |
hash3c1f7d9d157c38d17a44f62b6560d3b4 | — | |
hashc14dc6f17099a9505a2c303f204a4554a5cc219f | — | |
hash3b172281f65ceaee280ae810edb6fd39a1ecd25649f929f246c0405df94f4c89 | — | |
hash6c74d29903bc2cc17ec4afdb1a120d2060209b22830cee2b7005f5436e86f90e | — | |
hashf7bde19f9e085650378076dabac586dcdc256e743a57890000e71a7ebb43d8ee | — | |
hash4186e41a8d6ae3b316174fc601e418b8e2a664b6 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainyemplayer.site | — | |
domainmin.comi-site.website | — | |
domainmicrosoft.comi-site.website | — | |
domaincomesignt.website | — | |
domainmin.come-site.website | — | |
domaingoogle.comisignin.online | — | |
domainaccountes.google.comesignt.website | — | |
domainaccounts.google.comisignin.online | — | |
domainmicrosoft.come-site.website | — | |
domaincomi-site.website | — | |
domaincom-accounts.website | — | |
domaincome-signin.quest | — | |
domaincomisignin.online | — | |
domainpis2ray.online | — | |
domainadmin.google.com-accounts.website | — | |
domainadmin.instagram.com-accounts.website | — | |
domainc.pis2ray.online | — | |
domaingoogle.com-accounts.website | — | |
domaingoogle.com-signin.site | — | |
domainhost.comview.website | — | |
domainmicrosoft.comesite.website | — | |
domainmicrosoft.comview.website | — | |
domainmicrosoft.pis2ray.online | — | |
domainmin.comview.website | — | |
domainmin.pis2ray.online | — | |
domainns1.com-signin.site | — | |
domainns2.com-signin.site | — | |
domainprx.pis2ray.online | — | |
domainsvpn.pis2ray.online | — | |
domainvpn.pis2ray.online | — | |
domainwebmail.com-accounts.website | — | |
domainwebmail.facebook.com-accounts.website | — | |
domainwebmail.google.com-accounts.website | — | |
domainwebmail.instagram.com-accounts.website | — | |
domainwww.facebook.com-accounts.website | — | |
domainwww.google.com-accounts.website | — | |
domainwww.instagram.com-accounts.website | — | |
domainwww.pis2ray.online | — | |
domainwww.yemplayer.site | — | |
domaincomestore.site | — | |
domaincomx-view.store | — | |
domainmigavpn.store | — | |
domainorbitx.site | — | |
domainsahar2ray.online | — | |
domainyeplayer.store | — | |
domaindownload.yeplayer.store | — | |
domainmicrosotf.come-site.website | — | |
domainmicrosotf.comi-site.website | — | |
domainmiga.comesignt.website | — | |
domainstarvpn.pis2ray.online | — | |
domaintools.sahar2ray.online | — | |
domainvip.yeplayer.store | — | |
domainwww.yeplayer.store | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://vip.yeplayer.store/files/YEPlayer.rar | — |
Threat ID: 6a460e0327e9c7971954d74a
Added to database: 07/02/2026, 07:06:43 UTC
Last enriched: 07/02/2026, 07:21:31 UTC
Last updated: 07/03/2026, 03:59:28 UTC
Views: 32
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.