Insikt Group identified new infrastructure used by the TAG-182 threat cluster to disseminate MarkiRAT surveillance malware targeting Farsi-speaking users, particularly Iranians, via fake VPN and media player applications distributed through social media. TAG-182 demonstrates tradecraft overlaps with Ferocious Kitten, including identical BITS job command strings and similar domain naming conventions. The operation supports Iranian government surveillance objectives, with infrastructure spanning multiple hosting providers and dozens of lookalike domains impersonating legitimate services.