Threat Advisory

TAG-182 APT Adopts Duplicate VPN Download Portals to Deploy MarkiRAT Malware

Threat: Malware Campaign
Threat Actor Name: TAG-182
Targeted Region: Iran
Threat Actor Region: Iran
Targeted Sector: Technology & IT, Government & Defense
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A new Iran-nexus campaign has been observed using TAG-182 activity to distribute MarkiRAT malware through fake VPN and media-player applications. The campaign appears focused on Farsi-speaking users including individuals inside Iran and communities connected to anti-government activity abroad. The operation relies on deceptive download pages and social media lures to trick targets into installing malicious tools disguised as legitimate services.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A new Iran-nexus campaign has been observed using TAG-182 activity to distribute MarkiRAT malware through fake VPN and media-player applications. The campaign appears focused on Farsi-speaking users including individuals inside Iran and communities connected to anti-government activity abroad. The operation relies on deceptive download pages and social media lures to trick targets into installing malicious tools disguised as legitimate services.[emaillocker id="1283"]

The attack chain uses staged archives and installer files linked to fake applications such as YEPlayer and Pis2ray VPN. Once executed, the malware communicates with attacker-controlled infrastructure and sends beaconing traffic through malicious domains. The MarkiRAT samples show tradecraft overlaps with earlier variants including the use of BITS Jobs for file transfer and execution support. The infrastructure also uses typo-themed domains, VPN-related naming, social media impersonation, and certificates to support continued malware delivery and surveillance access.

This campaign presents a notable surveillance risk to users who may install unverified VPN or media tools from social media posts, third-party websites, or unofficial download pages. Organizations and individuals should avoid unknown installers, monitor for suspicious BITS activity, inspect unusual application behavior under public user directories, and block known malicious infrastructure where applicable. Continued use of fake privacy and media applications indicates the threat actor is likely to keep adapting its lures to maintain access and collect intelligence from targeted communities.

 

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Resource Development T1583.001 Acquire Infrastructure Domains
Initial Access T1566.001 Phishing Spearphishing Attachment
T1566.002 Spearphishing Link
Execution T1204.002 User Execution Malicious File
T1197 BITS Jobs -

 

MBC MAPPING:

Objective Behaviour ID Behaviour
Anti-Behavioral Analysis B0001 Debugger Detection
B0002 Debugger Evasion
B0003 Dynamic Analysis Evasion
B0004 Emulator Detection
B0005 Emulator Evasion
B0006 Memory Dump Evasion
B0007 Sandbox Detection
B0008 Executable Code Virtualization
B0009 Virtual Machine Detection
Anti-Static Analysis B0032 Executable Code Obfuscation
E1027 Obfuscated Files or Information
Collection E1113 Screen Capture
F0002 Keylogging
E1056 Input Capture
Command and Control B0030 C2 Communication
Defense Evasion E1564 Hide Artifacts
F0005 Hidden Files and Directories
B0025 Conditional Execution
E1055 Process Injection
Discovery E1082 System Information Discovery
B0013 Analysis Tool Discovery
Execution E1059 Command and Scripting Interpreter
E1204 User Execution
B0011 Remote Commands
Impact E1486 Data Encrypted for Impact
Persistence F0012 Registry Run Keys / Startup Folder
Privilege Escalation F0015 Hijack Execution Flow

 

REFERENCES:

The following reports contain further technical details:

https://www.recordedfuture.com/research/nexus-tag182-disseminates-markirat

[/emaillocker]
crossmenu