TAG-140 Deploys DRAT V2 RAT, Targeting Indian Government, Defense, and Rail Sectors
A hacking group with ties other than Pakistan has been found targeting Indian government organizations with a modified variant of a remote access trojan (RAT) called DRAT.
The activity has been attributed by Recorded Future’s Insikt Group to a threat actor tracked as TAG-140, which it said overlaps with SideCopy, an adversarial collective assessed to be an operational sub-cluster within Transparent Tribe (aka APT-C-56, APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM).
“TAG-140 has consistently demonstrated iterative advancement and variety in its malware arsenal and delivery techniques,” the Mastercard-owned company said in an analysis published last month.
“This latest campaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but notable shift in both malware architecture and command-and-control (C2) functionality.”
The updated version of DRAT, called DRAT V2, is the latest addition to SideCopy’s RAT arsenal, which also comprises other tools like Action RAT, AllaKore RAT, Ares RAT, CurlBack RAT, ReverseRAT, Spark RAT, and Xeno RAT to infect Windows and Linux systems.
The attack activity demonstrates the adversary’s evolving playbook, highlighting its ability to refine and diversify to an “interchangeable suite” of RAT malware to harvest sensitive data to complicate attribution, detection, and monitoring efforts.
Attacks orchestrated by the threat actor have broadened their targeting focus beyond government, defense, maritime, and academic sectors to encompass organizations affiliated with the country’s railway, oil and gas, and external affairs ministries. The group is known to be active since at least 2019.
The infection sequence documented by Recorded Future leverages a ClickFix-style approach that spoofs the Indian Ministry of Defence’s official press release portal to drop a .NET-based version of DRAT to a new Delphi-compiled variant.
The counterfeit website has one active link that, when clicked, initiates an infection sequence that surreptitiously copies a malicious command to the machine’s clipboard and urges the victim to paste and execute it by launching a command shell.
This causes the retrieval of an HTML Application (HTA) file from an external server (“trade4wealth[.]in”), which is then executed by means of mshta.exe to launch a loader called BroaderAspect. The loader is responsible for downloading and launching a decoy PDF, setting up persistence through Windows Registry changes, and downloading and running DRAT V2 from the same server.
DRAT V2 adds a new command for arbitrary shell command execution, improving its post-exploitation flexibility. It also obfuscates its C2 IP addresses using Base64-encoding and updates its custom server-initiated TCP protocol to support commands input in both ASCII and Unicode. However, the server responds only in ASCII. The original DRAT requires Unicode for both input and output.
“Compared to its predecessor, DRAT V2 reduces string obfuscation by keeping most command headers in plaintext, likely prioritizing parsing reliability over stealth,” Recorded Future said. “DRAT V2 lacks advanced anti-analysis techniques and relies on basic infection and persistence methods, making it detectable via static and behavioral analysis.”
Other known capabilities allow it to perform a wide range of actions on compromised hosts, including conducting reconnaissance, uploading additional payloads, and exfiltrating data.
“These functions provide TAG-140 with persistent, flexible control over the infected system and allow for both automated and interactive post-exploitation activity without requiring the deployment of auxiliary malware tools,” the company said.
“DRAT V2 appears to be another modular addition rather than a definitive evolution, reinforcing the likelihood that TAG-140 will persist in rotating RATs across campaigns to obscure signatures and maintain operational flexibility.”
APT36 Campaigns Deliver Ares RAT and DISGOMOJI
State-sponsored threat activity and coordinated hacktivist operations from Pakistan flared up during the India-Pakistan conflict in May 2025, with APT36 capitalizing on the events to distribute Ares RAT in attacks targeting defense, government, IT, healthcare, education, and telecom sectors.
“With the deployment of tools like Ares RAT, attackers gained complete remote access to infected systems – opening the door to surveillance, data theft, and potential sabotage of critical services,” Seqrite Labs noted back in May 2025.
Recent APT36 campaigns have been found to disseminate carefully crafted phishing emails containing malicious PDF attachments to target Indian defense personnel.
The messages masquerade as purchase orders from the National Informatics Centre (NIC) and persuade the recipients to click on a button embedded within the PDF documents. Doing so results in the download of an executable that deceptively displays a PDF icon and employs the double extension format (i.e., *.pdf.exe) to appear legitimate to Windows users.
The binary, besides featuring anti-debugging and anti-VM features to sidestep analysis, is designed to launch a next-stage payload in memory that can enumerate files, log keystrokes, capture clipboard content, obtain browser credentials, and contact a C2 server for data exfiltration and remote access.
“APT36 poses a significant and ongoing cyber threat to national security, specifically targeting Indian defense infrastructure,” CYFIRMA said. “The group’s use of advanced phishing tactics and credential theft exemplifies the evolving sophistication of modern cyber espionage.”
Another campaign detailed by 360 Threat Intelligence Center has leveraged a new variant of a Go-based malware referred to as DISGOMOJI as part of booby-trapped ZIP files distributed via phishing attacks. The malware, the Beijing-based cybersecurity company said, is an ELF executable program written in Golang and uses Google Cloud for C2, marking a shift from Discord.
“In addition, browser theft plug-ins and remote management tools will be downloaded to achieve further theft operations and remote control,” it said. “The function of downloading the DISGOMOJI variant is similar to the load found before, but the previous DISGOMOJI used the Discord server, while this time it used Google Cloud Service for communication.”
Confucius Drops WooperStealer and Anondoor
The findings come as the cyber espionage actor known as Confucius has been linked to a new campaign that deploys an information stealer called WooperStealer and a previously undocumented modular backdoor Anondoor.
Confucius is assessed to be a threat group operating with objectives that align with India. It’s believed to be active since at least 2013, targeting government and military units in South Asia and East Asia.
According to Seebug’s KnownSec 404 Team, the multi-stage attacks employ Windows Shortcut (LNK) files as a starting point to deliver Anondoor using DLL side-loading techniques, following which system information is collected and WooperStealer is fetched from a remote server.
The backdoor is fully-featured, enabling an attacker to issue commands that can execute commands, take screenshots, download files, dump passwords from the Chrome browser, as well as list files and folders.
“It has evolved from the previously exposed single espionage trojan of downloading and executing to a modular backdoor, demonstrating a relatively high ability of technological iteration,” KnownSec 404 Team said. “Its backdoor component is encapsulated in a C# DLL file and evaded sandbox detection by loading the specified method through invoke.”
