Ethical Hacking News
In a recent campaign, TAG-140 has been linked to the deployment of DRAT V2, a modified variant of a remote access trojan (RAT) targeting Indian government organizations with malicious intentions. This attack highlights the evolving nature of cyber espionage and the need for organizations to remain vigilant in the face of increasingly sophisticated threats.
TAG-140 has been linked to advanced attacks on Indian government institutions and defense sectors using a modified remote access trojan (RAT) called DRAT V2. The group is believed to be connected to SideCopy, an adversarial collective with various tools and techniques aimed at compromising systems and exfiltrating sensitive data. DRAT V2 has demonstrated iterative advancement and variety in its malware arsenal and delivery techniques, including a slight shift in both malware architecture and command-and-control (C2) functionality. The attack activity showcases the adversary's evolving playbook, highlighting its ability to refine and diversify to an "interchangeable suite" of RAT malware. The deployment of DRAT V2 highlights the need for organizations to remain vigilant in the face of increasingly sophisticated threats and implement effective countermeasures to mitigate the impact of such campaigns.
In recent times, the world of cybersecurity has witnessed a surge in sophisticated and targeted attacks against government institutions, defense sectors, and other critical infrastructure. One such threat actor that has been making headlines is TAG-140, a group known for its advanced tactics, techniques, and procedures (TTPs). In this article, we will delve into the details of TAG-140's latest campaign, which has been attributed to the Insikt Group as a threat actor targeting Indian government organizations with a modified variant of a remote access trojan (RAT) called DRAT V2.
The TAG-140 APT is believed to be linked to SideCopy, an adversarial collective assessed to be an operational sub-cluster within Transparent Tribe (also known as APT-C-56, APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM). The group's activities have been observed since at least 2019, with the deployment of various tools and techniques aimed at compromising systems and exfiltrating sensitive data.
According to Recorded Future, TAG-140 has consistently demonstrated iterative advancement and variety in its malware arsenal and delivery techniques. In a recent analysis, the company stated that this latest campaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but notable shift in both malware architecture and command-and-control (C2) functionality.
The updated version of DRAT V2 is the latest addition to SideCopy's RAT arsenal, which also comprises other tools like Action RAT, AllaKore RAT, Ares RAT, CurlBack RAT, ReverseRAT, Spark RAT, and Xeno RAT. The attack activity demonstrates the adversary's evolving playbook, highlighting its ability to refine and diversify to an "interchangeable suite" of RAT malware.
Infection sequences documented by Recorded Future leverage a ClickFix-style approach that spoofs the Indian Ministry of Defence's official press release portal to drop a .NET-based version of DRAT V2 to a new Delphi-compiled variant. This counterfeit website has one active link that, when clicked, initiates an infection sequence that surreptitiously copies a malicious command to the machine's clipboard and urges the victim to paste and execute it by launching a command shell.
Additionally, browser theft plug-ins and remote management tools will be downloaded to achieve further theft operations and remote control. Moreover, DRAT V2 adds a new command for arbitrary shell command execution, improving its post-exploitation flexibility. It also obfuscates its C2 IP addresses using Base64-encoding and updates its custom server-initiated TCP protocol to support commands input in both ASCII and Unicode.
However, the server responds only in ASCII, which is a notable shift from its predecessor. Compared to DRAT V2, this updated version reduces string obfuscation by keeping most command headers in plaintext, likely prioritizing parsing reliability over stealth. Furthermore, DRAT V2 lacks advanced anti-analysis techniques and relies on basic infection and persistence methods, making it detectable via static and behavioral analysis.
Other known capabilities allow TAG-140 to perform a wide range of actions on compromised hosts, including conducting reconnaissance, uploading additional payloads, and exfiltrating data. These functions provide the group with persistent, flexible control over the infected system and allow for both automated and interactive post-exploitation activity without requiring the deployment of auxiliary malware tools.
The DRAT V2 variant is believed to be another modular addition rather than a definitive evolution, reinforcing the likelihood that TAG-140 will persist in rotating RATs across campaigns to obscure signatures and maintain operational flexibility. The group's activities have been observed in various sectors, including government, defense, maritime, academic, railway, oil and gas, and external affairs ministries.
The deployment of DRAT V2 highlights the evolving nature of cyber espionage and the need for organizations to remain vigilant in the face of increasingly sophisticated threats. As TAG-140 continues to refine its tactics and techniques, it is essential that security professionals stay abreast of the latest developments and implement effective countermeasures to mitigate the impact of such campaigns.
In recent times, another threat actor, Confucius, has been linked to a new campaign that deploys an information stealer called WooperStealer and a previously undocumented modular backdoor Anondoor. The findings come as Confucius is assessed to be a threat group operating with objectives that align with India, believed to be active since at least 2013, targeting government and military units in South Asia and East Asia.
The multi-stage attacks employed by Confucius employ Windows Shortcut (LNK) files as a starting point to deliver Anondoor using DLL side-loading techniques, following which system information is collected and WooperStealer is fetched from a remote server. The backdoor is fully-featured, enabling an attacker to issue commands that can execute commands, take screenshots, download files, dump passwords from the Chrome browser, as well as list files and folders.
The deployment of these tools highlights the need for organizations to adopt robust security measures to prevent the exfiltration of sensitive data. As threat actors continue to refine their tactics and techniques, it is essential that organizations prioritize cybersecurity and implement effective countermeasures to mitigate the impact of such campaigns.
In conclusion, the TAG-140 APT represents a significant threat to Indian government institutions and defense sectors, with its deployment of DRAT V2 highlighting the evolving nature of cyber espionage. As security professionals, it is crucial that we remain vigilant in the face of increasingly sophisticated threats and implement effective countermeasures to mitigate the impact of such campaigns.
Related Information:
https://www.ethicalhackingnews.com/articles/EXPOSING-THE-TAG-140-APT-A-MODERN-CYBER-ESPIONAGE-CAMPAIGN-TARGETING-INDIAN-GOVERNMENT-AND-DEFENSE-SECTORS-ehn.shtml
https://thehackernews.com/2025/07/tag-140-deploys-drat-v2-rat-targeting.html
Published: Mon Jul 7 01:33:08 2025 by llama3.2 3B Q4_K_M
