Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool
Insikt Group identified new infrastructure used by the TAG-182 threat cluster to disseminate MarkiRAT surveillance malware targeting Farsi-speaking users, particularly Iranians, via fake VPN and media player applications distributed through social media. TAG-182 demonstrates tradecraft overlaps with Ferocious Kitten, including identical BITS job command strings and similar domain naming conventions. The operation supports Iranian government surveillance objectives, with infrastructure spanning multiple hosting providers and dozens of lookalike domains impersonating legitimate services.
- domainaccountes[.]google[.]comesignt[.]websiteLookalike domain impersonating Google accounts
- domainaccounts[.]google[.]comisignin[.]onlineLookalike domain impersonating Google accounts
- domainadmin[.]google[.]com-accounts[.]websiteLookalike domain impersonating Google admin
- domainadmin[.]instagram[.]com-accounts[.]websiteLookalike domain impersonating Instagram admin
- domaincom-accounts[.]websiteTAG-182 infrastructure domain
- domaincome-signin[.]questTAG-182 infrastructure domain
- domaincomesignt[.]websiteTAG-182 infrastructure domain hosted on 212.83.61.198
- domaincomestore[.]siteTAG-182 infrastructure domain hosted on 46.30.191.105
- domaincomisignin[.]onlineTAG-182 infrastructure domain hosted on 212.83.61.198
- domaincomi-site[.]websiteTAG-182 C2 domain; subdomain microsotf. used for beaconing
- domaincomx-view[.]storeTAG-182 infrastructure domain hosted on 46.30.191.105
- domainc[.]pis2ray[.]onlineSubdomain of fake VPN domain pis2ray.online
- domaindownload[.]yeplayer[.]storeSubdomain of fake media player domain used for downloads
- domaingoogle[.]com-accounts[.]websiteLookalike domain impersonating Google
- domaingoogle[.]comisignin[.]onlineLookalike domain impersonating Google sign-in
- domaingoogle[.]com-signin[.]siteLookalike domain impersonating Google sign-in
- domainhost[.]comview[.]websiteTAG-182 infrastructure domain
- domainmicrosoft[.]come-site[.]websiteLookalike domain impersonating Microsoft
- domainmicrosoft[.]comesite[.]websiteLookalike domain impersonating Microsoft
- domainmicrosoft[.]comi-site[.]websiteLookalike domain impersonating Microsoft
- domainmicrosoft[.]comview[.]websiteLookalike domain impersonating Microsoft
- domainmicrosoft[.]pis2ray[.]onlineLookalike domain impersonating Microsoft on fake VPN domain
- domainmicrosotf[.]comi-site[.]websiteC2 domain receiving multipart/form-data POST beaconing from MarkiRAT at /up/uploadx.php; note intentional misspelling of 'microsoft'
- domainmiga[.]comesignt[.]websiteTAG-232 infrastructure domain
- domainmigavpn[.]storeFake VPN domain
- domainmin[.]come-site[.]websiteTAG-182 infrastructure domain
- domainmin[.]comi-site[.]websiteTAG-182 infrastructure domain
- domainmin[.]comview[.]websiteTAG-182 infrastructure domain
- domainmin[.]pis2ray[.]onlineTAG-182 infrastructure subdomain
- domainns1[.]com-signin[.]siteNameserver for TAG-182 infrastructure
- domainns2[.]com-signin[.]siteNameserver for TAG-182 infrastructure
- domainorbitx[.]siteTAG-182 infrastructure domain
- domainpis2ray[.]onlinePrimary fake VPN domain used in social media lures on Instagram; subdomains include starvpn, svpn, vpn, microsoft, c, prx, min, www
- domainprx[.]pis2ray[.]onlineTAG-182 infrastructure subdomain
- domainsahar2ray[.]onlineFake VPN domain
- domainstarvpn[.]pis2ray[.]onlineFake StarVPN/Starlink VPN domain hosted on 46.30.191.105
- domainsvpn[.]pis2ray[.]onlineTAG-182 infrastructure subdomain
- domaintools[.]sahar2ray[.]onlineTAG-182 infrastructure subdomain
- domainvip[.]yeplayer[.]storeStaging domain serving initial access payload YEPlayer.rar via HTTPS; hosted on 212.83.61.198
- domainvpn[.]pis2ray[.]onlineTAG-182 infrastructure subdomain
- domainwebmail[.]com-accounts[.]websiteTAG-182 infrastructure domain
- domainwebmail[.]facebook[.]com-accounts[.]websiteLookalike domain impersonating Facebook webmail
- domainwebmail[.]google[.]com-accounts[.]websiteLookalike domain impersonating Google webmail
- domainwebmail[.]instagram[.]com-accounts[.]websiteLookalike domain impersonating Instagram webmail
- domainwww[.]facebook[.]com-accounts[.]websiteLookalike domain impersonating Facebook
- domainwww[.]google[.]com-accounts[.]websiteLookalike domain impersonating Google
- domainwww[.]instagram[.]com-accounts[.]websiteLookalike domain impersonating Instagram
- domainwww[.]pis2ray[.]onlineFake VPN domain
- domainwww[.]yemplayer[.]siteFake media player domain
- domainwww[.]yeplayer[.]storeFake media player domain
- domainyemplayer[.]siteFake media player domain hosted on 212.83.61.198
- domainyeplayer[.]storeFake media player domain hosted on 212.83.61.198; subdomain vip. used for payload staging
- filenamesvehost.exeMarkiRAT masqueraded executable impersonating svchost.exe; dropped to C:\Users\Public\AppData\Windows\svehost.exe
- ip212[.]83[.]61[.]198Primary C2 server hosting MarkiRAT samples and receiving beacon traffic; hosted on 23M GmbH (AS47447)
- ip45[.]86[.]162[.]197Additional TAG-182 infrastructure IP
- ip46[.]30[.]191[.]105Secondary TAG-182 C2 server on CrownCloud (AS199959); hosts starvpn.pis2ray.online and comestore.site
- ip46[.]30[.]191[.]123Additional TAG-182 infrastructure IP
- ip89[.]144[.]145[.]237Additional TAG-182 infrastructure IP
- ip89[.]144[.]145[.]239Additional TAG-182 infrastructure IP
- sha25613440348516ccee839675f6ac908dd1724ce1d28f92af92fdc7938740d2b7ec5MarkiRAT sample referenced in YARA rule metadata for TAG-182 tracking
- sha2563b172281f65ceaee280ae810edb6fd39a1ecd25649f929f246c0405df94f4c89MarkiRAT payload YEPlayer.dll; beacons to 212.83.61.198
- sha256400eb6a94810323a1fc5f8ab31c682fe765aaec2cc61b37c31d719c7e45c9a6cMarkiRAT archive Pis2rayVPN.zip; beacons to 212.83.61.198
- sha25651a6686b8c5ec7c610637398f3de43589f4e9fcbe8bcc0245343c5454d3b91deMarkiRAT installer YEMPlayer.msi; beacons to 212.83.61.198
- sha25666dcd98c6b310f4429890821e609d48cc6395a6be15ffe5a121ec68b7a8f7402MarkiRAT archive YEMPlayer.zip distributed via fake media player lure; beacons to 212.83.61.198
- sha2566c74d29903bc2cc17ec4afdb1a120d2060209b22830cee2b7005f5436e86f90eMarkiRAT sample associated with TAG-182
- sha2568a7f5c8533df9e51b2da7cc2aeb52d8787418e4915577cc9288be1e46d1945c6MarkiRAT DLL Pis2rayN.dll; beacons to 212.83.61.198
- sha256a4f1b79e96a7d016de1991a64506792018de99eac5df00f7cabe26ef41b2bd81MarkiRAT installer Pis2rayVPN.msi distributed via fake VPN lure; beacons to 212.83.61.198
- sha256bb0c7ae4f12e5141480ee26f473636b07e836bb994ff3b2cfec93d4480da171bMarkiRAT sample referenced in YARA rule metadata
- sha256cc59bf019af195dcec4394ffd7a8e23c080f4e02b12dcb7c04fb1da6671922a1MarkiRAT sample associated with TAG-182
- sha256ea755862ee81dd0d991b4afca42d8b82bb22a8f1d370bf3d28dbf2e44ab241ddMarkiRAT sample associated with TAG-182
- sha256fa246327bed8fc5864827a8147b8b7aedb6246068259b8c97e82adb957315347MarkiRAT sample referenced in YARA rule metadata
- urlhxxp://212[.]83[.]61[.]198/i[.]php?u=[computername]-[username]&i=[proxyip]Direct IP BITS job URL used by MarkiRAT for payload download
- urlhxxp://microsotf[.]comi-site[.]website/i[.]php?u=[computername]&i=proxyipBITS job URL used by MarkiRAT to download payload to %PUBLIC%\AppData\Libs\p.b; parameters include computer name and proxy IP
- urlhxxps://vip[.]yeplayer[.]store/files/YEPlayer[.]rarInitial access URL delivering MarkiRAT payload in a RAR archive; continues to serve payload even when page displays an error
Detection / Hunteropenrouter
What Happened
A hacker group called TAG-182, linked to the Iranian government, has been caught distributing spyware called MarkiRAT disguised as free VPN apps and media players. They target Iranian citizens both inside and outside Iran, using social media platforms like Instagram to trick people into downloading these fake apps. Once installed, the spyware secretly monitors the victim's computer, steals information, and sends it back to the attackers. This matters because it is part of a broader Iranian government effort to track and intimidate people who oppose the regime, especially after recent protests and internet restrictions. People who are Iranian or speak Farsi should be especially careful about downloading VPN or media player apps from unfamiliar websites, and organizations should check their networks for any of the identified malicious domains or files listed in this report.
Key Takeaways
- TAG-182 is an Iran-nexus threat cluster distributing MarkiRAT surveillance malware via fake VPN and media player applications targeting Farsi-speaking users, particularly Iranians inside and outside the country.
- The malware shares significant tradecraft overlaps with Ferocious Kitten, including identical BITS job command strings, suggesting an operational relationship between the two clusters.
- TAG-182 uses a large infrastructure of lookalike domains impersonating Microsoft, Google, Facebook, and Instagram, hosted across 23M GmbH (AS47447) and CrownCloud (AS199959) with Let's Encrypt certificates.
- Initial access is achieved through staged downloads from fake application websites (e.g., vip.yeplayer.store), delivering RAR archives containing malicious executables that beacon to C2 via HTTP POST requests.
- The malware masquerades as svehost.exe (impersonating svchost.exe) in the AppData\Windows path and uses BITS jobs for payload download and C2 communication.
Affected Systems
- Windows 10
- Windows 11
- Android (fake APK lures)
Attack Chain
TAG-182 lures Farsi-speaking targets via social media (Instagram) with fake VPN applications (Pis2ray VPN, StarVPN) and media players (YESHICA YEPlayer). Victims are directed to attacker-controlled domains (e.g., vip.yeplayer.store, pis2ray.online) where they download staged RAR/MSI/ZIP archives containing malicious executables. Upon execution of the payload (e.g., YEPlayer.exe), MarkiRAT initiates a POST request to its C2 server (microsotf.comi-site.website) via /up/uploadx.php for beaconing. The malware uses BITS jobs to download additional payloads to %PUBLIC%\AppData\Libs\p.b and drops a masqueraded executable (svehost.exe) to C:\Users\Public\AppData\Windows. It then manipulates file attributes and terminates existing instances of svehost.exe to facilitate updates or replacement, enabling ongoing surveillance and data collection from the victim's machine.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: Yes
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: YARA (Appendix C), Sigma (Appendix D)
A YARA rule (APT_IR_TAG182_MarkiRAT_2) targeting MarkiRAT strings and a Sigma rule detecting bitsadmin download activity with MarkiRAT-specific URL patterns are provided in Appendices C and D respectively. Do not reproduce rule content in reports.
Detection Engineering Assessment
EDR Visibility: Medium — EDR should capture process creation events for bitsadmin.exe, taskkill.exe, and attrib.exe, as well as file writes to AppData paths. However, the use of legitimate Windows utilities (BITS, attrib, taskkill) may blend with normal administrative activity, requiring behavioral correlation rather than simple process-name matching. Network Visibility: High — MarkiRAT uses HTTP POST requests to specific C2 endpoints (/up/uploadx.php, /i.php) and BITS jobs that generate identifiable network traffic. The C2 domains use distinctive naming patterns (come-, comi-, comx- prefixes) that can be flagged in DNS and proxy logs. Detection Difficulty: Moderate — The malware uses legitimate Windows utilities (bitsadmin, attrib, taskkill) which are common in enterprise environments, creating potential for false positives. However, the specific command patterns (BITS job named 'pdj', /uploadx.php and /i.php URL paths, svehost.exe masquerade) provide strong discriminators. The large number of C2 domains also enables broad DNS-based detection.
Required Log Sources
- Windows Security Event ID 4688 (Process Creation)
- Windows Sysmon Event ID 1 (Process Creation) with command line logging
- Windows Sysmon Event ID 3 (Network Connection)
- Windows Sysmon Event ID 11 (File Creation)
- DNS query logs
- Web proxy logs
- TLS connection logs with SNI values
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for bitsadmin.exe processes creating jobs with the name 'pdj' or downloading files from URLs containing '/i.php?u=' or '/uploadx.php?u=' patterns, as these are characteristic of MarkiRAT C2 communication. | Sysmon Event ID 1 (process creation with command line), EDR process telemetry | Execution/C2 | Low — the specific job name 'pdj' and URL patterns are unlikely to appear in legitimate BITS usage |
| Consider hunting for processes named 'svehost.exe' (a misspelling of svchost.exe) executing from C:\Users\Public\AppData\Windows, as this is a masquerading technique used by MarkiRAT. | Sysmon Event ID 1, EDR process telemetry, Windows Security Event ID 4688 | Defense Evasion/Persistence | Very Low — svehost.exe is not a legitimate Windows process and its execution from AppData is highly suspicious |
| Consider hunting for DNS queries or TLS connections to domains using 'come-', 'comi-', 'comx-' prefixes combined with legitimate brand names (microsoft, google, facebook, instagram), as TAG-182 uses these naming conventions for C2 infrastructure. | DNS logs, proxy logs, TLS connection logs with SNI | C2/Infrastructure | Low to Medium — these patterns are distinctive but could theoretically appear in legitimate CDN or redirect scenarios |
| Consider hunting for HTTP POST requests to /up/uploadx.php with multipart/form-data content type, as this is the specific beaconing endpoint used by MarkiRAT. | Web proxy logs, network IDS, full packet capture | C2 | Low — the specific endpoint path and multipart upload pattern is distinctive to MarkiRAT |
| Consider hunting for file creation events in C:\Users\Public\AppData\Libs\p.b, as this is the BITS download destination for MarkiRAT payloads. | Sysmon Event ID 11 (File Creation), EDR file write telemetry | Execution/Persistence | Very Low — this specific path and filename is not associated with legitimate software |
Control Gaps
- Signature-based AV may miss MarkiRAT as it uses legitimate Windows utilities (bitsadmin, attrib, taskkill) for execution
- DNS filtering may not catch newly registered lookalike domains using Let's Encrypt certificates
- Network-based detection without full TLS inspection will not see POST request content to /up/uploadx.php
- Application allowlisting may not cover BITS service abuse for payload download
Key Behavioral Indicators
- Process named svehost.exe (misspelling of svchost.exe) executing from C:\Users\Public\AppData\Windows\
- bitsadmin.exe creating jobs named 'pdj' with /addfile commands targeting URLs containing '/i.php?u=' or '/uploadx.php?u='
- File write to %PUBLIC%\AppData\Libs\p.b via BITS job
- attrib.exe removing hidden attribute (-h) from files in C:\Users\Public\AppData\Windows\
- taskkill.exe targeting svehost.exe specifically
- HTTP POST requests to /up/uploadx.php with multipart/form-data boundary headers
- DNS queries to domains with 'come-', 'comi-', 'comx-' prefixes combined with brand names
False Positive Assessment
- Low — The malware uses distinctive indicators including the misspelled 'svehost.exe' masquerade, BITS job named 'pdj', specific C2 URL paths (/i.php, /uploadx.php), and file path %PUBLIC%\AppData\Libs\p.b that are unlikely to appear in legitimate activity. The lookalike domain naming patterns (come-, comi-, comx- prefixes with brand names) also provide strong discriminators for DNS-based detection.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the identified C2 IP addresses (212.83.61.198, 46.30.191.105, 46.30.191.123, 45.86.162.197, 89.144.145.237, 89.144.145.239) and associated domains at your firewall, proxy, and DNS resolver levels.
- Consider searching endpoint telemetry for the identified SHA256 hashes and file names (YEPlayer.dll, YEMPlayer.zip, YEMPlayer.msi, Pis2rayVPN.msi, Pis2rayVPN.zip, Pis2rayN.dll, svehost.exe) across your environment.
- If your EDR supports it, consider hunting for bitsadmin.exe processes with command lines containing '/addfile' and '/i.php?u=' or '/uploadx.php?u=' patterns.
- Consider deploying the provided YARA and Sigma rules (from Appendices C and D) to your detection platforms after testing in your environment.
Infrastructure Hardening
- Evaluate whether blocking or monitoring BITS service usage for non-administrative users is feasible in your environment, as MarkiRAT abuses BITS for payload download and C2.
- Consider implementing DNS filtering for newly registered domains that combine brand names (microsoft, google, facebook, instagram) with unusual TLDs or subdomain patterns.
- If applicable, consider restricting outbound HTTP/HTTPS traffic to known-good destinations for high-risk user populations, particularly those who may be targeted by state-sponsored surveillance.
- Evaluate whether your web proxy can inspect and alert on multipart/form-data POST requests to unusual endpoints like /up/uploadx.php.
User Protection
- Consider alerting users — particularly those of Iranian descent or who speak Farsi — about the risk of downloading VPN or media player applications from unverified sources.
- If applicable, consider providing approved VPN solutions to users who need them, reducing the temptation to download unverified VPN apps.
- Consider deploying the provided YARA rule to endpoint scanning tools if supported by your endpoint protection platform.
- Evaluate whether your application allowlisting controls would prevent execution of executables from C:\Users\Public\AppData\ paths.
Security Awareness
- Consider incorporating warnings about fake VPN applications distributed via social media into existing security awareness programs, especially for users who may be targeted by state-sponsored surveillance.
- If relevant to your workforce, consider adding guidance on verifying application legitimacy through official app stores rather than direct downloads from websites.
- Consider briefing security teams on the TAG-182 and Ferocious Kitten threat clusters and their targeting patterns toward Iranian diaspora communities.
- Where appropriate, consider reminding users that legitimate software vendors do not typically distribute applications via password-protected RAR archives from unfamiliar domains.
MITRE ATT&CK Mapping
- T1583.001 - Acquire Infrastructure: Domains
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1204.002 - User Execution: Malicious File
- T1197 - BITS Jobs
- T1036.005 - Masquerading: Match Legitimate Name or Location
- T1105 - Ingress Tool Transfer
- T1071.001 - Application Layer Protocol: Web Protocols
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Additional IOCs
- Ips:
46[.]30[.]191[.]105- Secondary TAG-182 C2 server on CrownCloud (AS199959); hosts starvpn.pis2ray.online and comestore.site46[.]30[.]191[.]123- Additional TAG-182 infrastructure IP45[.]86[.]162[.]197- Additional TAG-182 infrastructure IP89[.]144[.]145[.]237- Additional TAG-182 infrastructure IP89[.]144[.]145[.]239- Additional TAG-182 infrastructure IP
- Domains:
yeplayer[.]store- Fake media player domain hosted on 212.83.61.198; subdomain vip. used for payload stagingyemplayer[.]site- Fake media player domain hosted on 212.83.61.198comi-site[.]website- TAG-182 C2 domain; subdomain microsotf. used for beaconingcomesignt[.]website- TAG-182 infrastructure domain hosted on 212.83.61.198comisignin[.]online- TAG-182 infrastructure domain hosted on 212.83.61.198comestore[.]site- TAG-182 infrastructure domain hosted on 46.30.191.105comx-view[.]store- TAG-182 infrastructure domain hosted on 46.30.191.105accountes[.]google[.]comesignt[.]website- Lookalike domain impersonating Google accountsaccounts[.]google[.]comisignin[.]online- Lookalike domain impersonating Google accountsadmin[.]google[.]com-accounts[.]website- Lookalike domain impersonating Google adminadmin[.]instagram[.]com-accounts[.]website- Lookalike domain impersonating Instagram adminc[.]pis2ray[.]online- Subdomain of fake VPN domain pis2ray.onlinecom-accounts[.]website- TAG-182 infrastructure domaincome-signin[.]quest- TAG-182 infrastructure domaindownload[.]yeplayer[.]store- Subdomain of fake media player domain used for downloadsgoogle[.]com-accounts[.]website- Lookalike domain impersonating Googlegoogle[.]com-signin[.]site- Lookalike domain impersonating Google sign-ingoogle[.]comisignin[.]online- Lookalike domain impersonating Google sign-inhost[.]comview[.]website- TAG-182 infrastructure domainmicrosoft[.]pis2ray[.]online- Lookalike domain impersonating Microsoft on fake VPN domainmicrosoft[.]comesite[.]website- Lookalike domain impersonating Microsoftmicrosoft[.]come-site[.]website- Lookalike domain impersonating Microsoftmicrosoft[.]comi-site[.]website- Lookalike domain impersonating Microsoftmicrosoft[.]comview[.]website- Lookalike domain impersonating Microsoftmiga[.]comesignt[.]website- TAG-232 infrastructure domainmigavpn[.]store- Fake VPN domainmin[.]come-site[.]website- TAG-182 infrastructure domainmin[.]comi-site[.]website- TAG-182 infrastructure domainmin[.]comview[.]website- TAG-182 infrastructure domainmin[.]pis2ray[.]online- TAG-182 infrastructure subdomainns1[.]com-signin[.]site- Nameserver for TAG-182 infrastructurens2[.]com-signin[.]site- Nameserver for TAG-182 infrastructureorbitx[.]site- TAG-182 infrastructure domainprx[.]pis2ray[.]online- TAG-182 infrastructure subdomainsahar2ray[.]online- Fake VPN domainstarvpn[.]pis2ray[.]online- Fake StarVPN/Starlink VPN domain hosted on 46.30.191.105svpn[.]pis2ray[.]online- TAG-182 infrastructure subdomaintools[.]sahar2ray[.]online- TAG-182 infrastructure subdomainvpn[.]pis2ray[.]online- TAG-182 infrastructure subdomainwebmail[.]com-accounts[.]website- TAG-182 infrastructure domainwebmail[.]facebook[.]com-accounts[.]website- Lookalike domain impersonating Facebook webmailwebmail[.]google[.]com-accounts[.]website- Lookalike domain impersonating Google webmailwebmail[.]instagram[.]com-accounts[.]website- Lookalike domain impersonating Instagram webmailwww[.]facebook[.]com-accounts[.]website- Lookalike domain impersonating Facebookwww[.]google[.]com-accounts[.]website- Lookalike domain impersonating Googlewww[.]instagram[.]com-accounts[.]website- Lookalike domain impersonating Instagramwww[.]pis2ray[.]online- Fake VPN domainwww[.]yeplayer[.]store- Fake media player domainwww[.]yemplayer[.]site- Fake media player domain
- Urls:
hxxp://microsotf[.]comi-site[.]website/i.php?u=[computername]&i=proxy ip- BITS job URL used by MarkiRAT to download payload to %PUBLIC%\AppData\Libs\p.b; parameters include computer name and proxy IPhxxp://212[.]83[.]61[.]198/i.php?u=[computername]-[username]&i=[proxy ip]- Direct IP BITS job URL used by MarkiRAT for payload download
- File Hashes:
51a6686b8c5ec7c610637398f3de43589f4e9fcbe8bcc0245343c5454d3b91de(SHA256) - MarkiRAT installer YEMPlayer.msi; beacons to 212.83.61.198400eb6a94810323a1fc5f8ab31c682fe765aaec2cc61b37c31d719c7e45c9a6c(SHA256) - MarkiRAT archive Pis2rayVPN.zip; beacons to 212.83.61.1988a7f5c8533df9e51b2da7cc2aeb52d8787418e4915577cc9288be1e46d1945c6(SHA256) - MarkiRAT DLL Pis2rayN.dll; beacons to 212.83.61.1986c74d29903bc2cc17ec4afdb1a120d2060209b22830cee2b7005f5436e86f90e(SHA256) - MarkiRAT sample associated with TAG-182bb0c7ae4f12e5141480ee26f473636b07e836bb994ff3b2cfec93d4480da171b(SHA256) - MarkiRAT sample referenced in YARA rule metadatacc59bf019af195dcec4394ffd7a8e23c080f4e02b12dcb7c04fb1da6671922a1(SHA256) - MarkiRAT sample associated with TAG-182ea755862ee81dd0d991b4afca42d8b82bb22a8f1d370bf3d28dbf2e44ab241dd(SHA256) - MarkiRAT sample associated with TAG-182fa246327bed8fc5864827a8147b8b7aedb6246068259b8c97e82adb957315347(SHA256) - MarkiRAT sample referenced in YARA rule metadata
- File Paths:
C:\Users\Public\AppData\Windows\svehost.exe- Path where MarkiRAT drops its masqueraded executable (svehost.exe impersonating svchost.exe)%PUBLIC%\AppData\Libs\p.b- Path where BITS job downloads MarkiRAT payload file
- Command Lines:
- Purpose: Create and manage a BITS job named 'pdj' to download MarkiRAT payload from C2 server | Tools:
bitsadmin.exe| Stage: Execution/C2 |bitsadmin /create pdj - Purpose: Add file to BITS job for download from C2 with computer name and proxy IP as parameters | Tools:
bitsadmin.exe| Stage: C2 |bitsadmin /addfile pdj - Purpose: Set BITS job priority to HIGH for faster payload download | Tools:
bitsadmin.exe| Stage: Execution |bitsadmin /SetPriority pdj HIGH - Purpose: Cancel existing BITS job named 'pdj' before creating a new one | Tools:
bitsadmin.exe| Stage: Execution |bitsadmin /cancel pdj - Purpose: Resume a paused BITS job named 'pdj' | Tools:
bitsadmin.exe| Stage: Execution |bitsadmin /resume pdj - Purpose: Forcibly terminate running svehost.exe process and any child processes to replace or update the dropped executable | Tools:
taskkill.exe| Stage: Execution |taskkill /im svehost.exe /t /f - Purpose: Remove hidden file attribute from dropped svehost.exe to make it visible for manipulation | Tools:
attrib.exe| Stage: Defense Evasion |attrib -h
- Purpose: Create and manage a BITS job named 'pdj' to download MarkiRAT payload from C2 server | Tools: