On May 26, 2026, Iran partially restored global internet access—and within weeks, TAG-182 was back in business with updated MarkiRAT infrastructure. Recorded Future's Insikt Group identified new C2 servers and fake Android apps pushing MarkiRAT spyware, signaling a deliberate ramp-up in domestic surveillance.
Fake VPNs and Media Players That Phone Home
TAG-182's latest lure is a website staging "YESHICA YEPlayer," a media player app that's almost identical to one exposed earlier in 2026. Another sample masquerades as "Pis2ray VPN"—neither exists on Google Play or Apple's App Store. Both are custom-built Android trojans that collect intelligence from Iranian targets inside and outside the country. The group distributes these through social media, particularly Instagram.
Ferocious Kitten Tradecraft, Same Pipeline
The MarkiRAT sample shares operational fingerprints with earlier variants attributed to Ferocious Kitten—most notably, use of the Background Intelligent Transfer Service (BITS) for covert data exfiltration. Insikt Group notes that while the evidence is strong enough to suggest an operational connection, they can't yet confirm the two clusters are the same organization. Either way, the tooling is consistent with Iran's broader surveillance ecosystem.
What the Internet Restoration Unlocks
Iran's security apparatus let up on kinetic confrontations with the US and Israel after April 2026. That freed up resources for digital enforcement. With internet restored, TAG-182 can reach more targets—activists, human rights advocates, and alleged foreign collaborators. The majority of Iranian intelligence organizations are now prioritizing enhanced digital surveillance to head off internal unrest. This campaign is only going to expand.
Source: Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool
Domain: recordedfuture.com
Comments load interactively on the live page.