Fixxx
Moder
- Joined
- 20.08.24
- Messages
- 1,152
- Reaction score
- 4,598
- Points
- 113

A fake VPN in this scheme doesn’t work as a way to bypass censorship; it’s a trap for people trying to hide from surveillance. Analysts at Insikt Group, the research arm of Recorded Future, identified new infrastructure used by the TAG-182 group to distribute the spyware tool MarkiRAT to Iranians inside the country and abroad. The lures looked as familiar as possible to an audience pressured by censorship - free VPNs, media players and apps for accessing blocked services. According to Recorded Future, TAG-182 operates in the interests of Iran’s cyber-surveillance system and targets primarily opposition circles, activists and people authorities may consider foreign collaborators. The campaign continued after the partial restoration of global internet access in Iran on May 26, 2026, when security forces again stepped up digital control over society.
The infection scheme was built around websites and apps with names such as YESHICA YEPlayer, YEMPlayer, Pis2ray VPN and StarVPN. Some samples were disguised as media players, others as VPN services. In one case, the site starvpn.pis2ray.online posed as a service connected to Starlink and urged users to download a fake application. Some domains included words like google, microsoft, instagram and facebook, and one address used the misspelling microsotf to look similar to Microsoft at a glance. After clicking the link, the victim received an archive or installer. The report mentions files such as YEPlayer.dll, YEMPlayer.msi, Pis2rayVPN.msi and Pis2rayN.dll, which connected to a command-and-control server at 212.83.61.198. In one of the scenarios, the initial request went to vip.yeplayer.store and downloaded the YEPlayer.rar archive, and malicious activity continued even when there was an external error on the page. After launching YEPlayer.exe, the program sent data to the domain microsotf.comi-site.website via a POST request to the server script uploadx.php.
MarkiRAT is notable not only for its fresh infrastructure, but also for links to earlier Iranian operations. Recorded Future found overlaps with variants previously attributed to the Ferocious Kitten group. Among the shared indicators are commands for the Background Intelligent Transfer Service, Windows’ built-in mechanism for background file transfers. This approach lets malware download and transmit data using the operating system itself, making detection harder. Kaspersky back in 2021 described MarkiRAT as a tool capable of recording keystrokes, reading the clipboard, uploading and downloading files and executing commands on an infected computer. The researchers don't claim that TAG-182 and Ferocious Kitten are the same organization. Similarities in infrastructure, code, and attack techniques point more to a likely operational connection or a shared toolkit. Recorded Future also separately emphasizes that the available data is not yet sufficient to draw a confident conclusion about unified leadership. At the same time, TAG-182 almost certainly belongs to a broader circle of pro-Iranian groups that help authorities track civilians, activists and anti-government networks.
The main danger of this campaign lies in the choice of lure. People looking for a VPN after blocks often act quickly, trust links from social media and install apps not from official stores. TAG-182 used exactly that moment. Posing as a privacy-protection tool, it offered victims software that opened a surveillance channel for the attackers.
Recorded Future expects such operations to continue. After the partial restoration of internet access, Iranian security services gained more opportunities to monitor digital activity - especially around protests, foreign contacts and efforts to bypass censorship. In practice, the investigation again highlights an old problem wrapped in a new political package. The most dangerous app for a person under surveillance may be the VPN they trusted for their own safety.