Iran-Nexus Disseminates MarkiRAT Surveillance Tool
Essential information
- Published
- 01/07/2026 18:58
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- bouldspy dchspy fake vpn farsi-speaking targets ferocious kitten furball iran irgc markirat surveillance tag-182
- Related entities
- 72 indicators, 59 observables, 1 intrusion sets (apt), 15 techniques (mitre), 4 malware
Description
TAG-182, an Iran-nexus threat cluster, is conducting surveillance operations targeting Iranian citizens both domestically and abroad using MarkiRAT malware. The group distributes fake Android applications masquerading as VPN services and media players through social media platforms, particularly Instagram. Following Iran's partial internet restoration in May 2026 after an 88-day shutdown, these surveillance activities have intensified as Iranian security apparatus seeks to monitor perceived dissidents and anti-government activists. MarkiRAT samples demonstrate tradecraft overlaps with previously documented Ferocious Kitten operations, including use of Background Intelligent Transfer Service (BITS). The group operates infrastructure across multiple autonomous systems, utilizing domains with naming conventions mimicking legitimate services like Microsoft, Google, and Facebook.