EXECUTIVE SUMMARY:
A new Iran-nexus campaign has been observed using TAG-182 activity to distribute MarkiRAT malware through fake VPN and media-player applications. The campaign appears focused on Farsi-speaking users including individuals inside Iran and communities connected to anti-government activity abroad. The operation relies on deceptive download pages and social media lures to trick targets into installing malicious tools disguised as legitimate services.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A new Iran-nexus campaign has been observed using TAG-182 activity to distribute MarkiRAT malware through fake VPN and media-player applications. The campaign appears focused on Farsi-speaking users including individuals inside Iran and communities connected to anti-government activity abroad. The operation relies on deceptive download pages and social media lures to trick targets into installing malicious tools disguised as legitimate services.[emaillocker id="1283"]
The attack chain uses staged archives and installer files linked to fake applications such as YEPlayer and Pis2ray VPN. Once executed, the malware communicates with attacker-controlled infrastructure and sends beaconing traffic through malicious domains. The MarkiRAT samples show tradecraft overlaps with earlier variants including the use of BITS Jobs for file transfer and execution support. The infrastructure also uses typo-themed domains, VPN-related naming, social media impersonation, and certificates to support continued malware delivery and surveillance access.
This campaign presents a notable surveillance risk to users who may install unverified VPN or media tools from social media posts, third-party websites, or unofficial download pages. Organizations and individuals should avoid unknown installers, monitor for suspicious BITS activity, inspect unusual application behavior under public user directories, and block known malicious infrastructure where applicable. Continued use of fake privacy and media applications indicates the threat actor is likely to keep adapting its lures to maintain access and collect intelligence from targeted communities.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| T1566.002 | Spearphishing Link | ||
| Execution | T1204.002 | User Execution | Malicious File |
| T1197 | BITS Jobs | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| B0002 | Debugger Evasion | |
| B0003 | Dynamic Analysis Evasion | |
| B0004 | Emulator Detection | |
| B0005 | Emulator Evasion | |
| B0006 | Memory Dump Evasion | |
| B0007 | Sandbox Detection | |
| B0008 | Executable Code Virtualization | |
| B0009 | Virtual Machine Detection | |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| E1027 | Obfuscated Files or Information | |
| Collection | E1113 | Screen Capture |
| F0002 | Keylogging | |
| E1056 | Input Capture | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | E1564 | Hide Artifacts |
| F0005 | Hidden Files and Directories | |
| B0025 | Conditional Execution | |
| E1055 | Process Injection | |
| Discovery | E1082 | System Information Discovery |
| B0013 | Analysis Tool Discovery | |
| Execution | E1059 | Command and Scripting Interpreter |
| E1204 | User Execution | |
| B0011 | Remote Commands | |
| Impact | E1486 | Data Encrypted for Impact |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Privilege Escalation | F0015 | Hijack Execution Flow |
REFERENCES:
The following reports contain further technical details:
https://www.recordedfuture.com/research/nexus-tag182-disseminates-markirat
[/emaillocker]