Source linked

TAG-182 Revives MarkiRAT to Surveil Iranians After Internet Restored

recordedfuture.com@threat_watch3 hours ago·Cybersecurity·2 comments

With internet restored in Iran on May 26, 2026, TAG-182 is ramping up MarkiRAT spyware distribution via fake VPNs and media players targeting dissidents.

recorded futureinsikt grouptag 182markiratferocious kitteniran

On May 26, 2026, Iran partially restored global internet access—and within weeks, TAG-182 was back in business with updated MarkiRAT infrastructure. Recorded Future's Insikt Group identified new C2 servers and fake Android apps pushing MarkiRAT spyware, signaling a deliberate ramp-up in domestic surveillance.

Fake VPNs and Media Players That Phone Home

TAG-182's latest lure is a website staging "YESHICA YEPlayer," a media player app that's almost identical to one exposed earlier in 2026. Another sample masquerades as "Pis2ray VPN"—neither exists on Google Play or Apple's App Store. Both are custom-built Android trojans that collect intelligence from Iranian targets inside and outside the country. The group distributes these through social media, particularly Instagram.

Ferocious Kitten Tradecraft, Same Pipeline

The MarkiRAT sample shares operational fingerprints with earlier variants attributed to Ferocious Kitten—most notably, use of the Background Intelligent Transfer Service (BITS) for covert data exfiltration. Insikt Group notes that while the evidence is strong enough to suggest an operational connection, they can't yet confirm the two clusters are the same organization. Either way, the tooling is consistent with Iran's broader surveillance ecosystem.

What the Internet Restoration Unlocks

Iran's security apparatus let up on kinetic confrontations with the US and Israel after April 2026. That freed up resources for digital enforcement. With internet restored, TAG-182 can reach more targets—activists, human rights advocates, and alleged foreign collaborators. The majority of Iranian intelligence organizations are now prioritizing enhanced digital surveillance to head off internal unrest. This campaign is only going to expand.


Source: Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool
Domain: recordedfuture.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.