New DRAT V2 Update Enhances C2 Protocol with Shell Command Execution Capabilities

A new variant of the DRAT remote access trojan (RAT), dubbed DRAT V2, has been uncovered as part of a TAG-140 campaign targeting Indian government entities.

This threat actor, believed to overlap with SideCopy and linked to Transparent Tribe (aka APT36), demonstrates a consistent pattern of refining its malware arsenal.

TAG-140 Evolves Malware Arsenal

The latest campaign, which impersonated the Indian Ministry of Defence through a cloned press release portal, showcases a shift in malware architecture from a .NET-based DRAT to a Delphi-compiled DRAT V2, complete with an updated command-and-control (C2) protocol and enhanced post-exploitation features.

This development underscores TAG-140’s maturing tradecraft, particularly in targeting India’s defense and governmental sectors with tailored social engineering and technical sophistication.

DRAT V2 introduces significant updates over its predecessor, most notably a revamped custom TCP-based, server-initiated C2 protocol that now supports both ASCII and Unicode command inputs while maintaining ASCII-only responses for streamlined communication.

A standout feature of this variant is the addition of the “exec_this_comm” command, enabling arbitrary shell command execution on compromised hosts.

According to Recorded Future Report, this capability provides TAG-140 operators with unprecedented flexibility for real-time, interactive post-exploitation tasks, ranging from system reconnaissance gathering details like usernames, OS versions, and working directories to file transfers for payload staging or data exfiltration.

Advanced C2 Protocol

Furthermore, DRAT V2 enhances its C2 obfuscation by encoding IP addresses with Base64 and prepending unique strings, a tactic designed to thwart straightforward decoding by analysts.

Unlike the original DRAT, which relied heavily on string obfuscation, DRAT V2 prioritizes parsing reliability by keeping most command headers in plaintext, reflecting a strategic balance between stealth and operational efficiency.

The malware’s infection chain, initiated through a ClickFix-style social engineering lure spoofing the Indian Ministry of Defence, leverages the BroaderAspect .NET loader to establish persistence via registry run keys (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun) and execute the final Delphi-based payload.

Despite its advancements, DRAT V2 lacks sophisticated anti-analysis techniques, relying on basic infection and persistence methods, which makes it detectable through static and behavioral analysis when monitored for specific indicators like uncommon TCP ports (e.g., 3232, 6372, 7771) or encoded traffic patterns.

As TAG-140 continues to diversify its RAT portfolio including tools like CurlBack, SparkRAT, and AllaKore DRAT V2 represents a modular addition rather than a complete overhaul, suggesting the group will likely rotate malware variants to evade detection.

Security teams are advised to focus on monitoring spearphishing infrastructure, loader reuse, and behavioral indicators rather than specific malware signatures to maintain visibility into TAG-140’s evolving tactics.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates