A cyber-espionage group known as TAG-140 has launched a new wave of attacks targeting India’s government, defense, and railway sectors. This group is linked to Pakistan-based actors like Transparent Tribe and SideCopy. Their latest campaign involves a more advanced remote access trojan called DRAT V2. This new tool is a serious upgrade from the original DRAT malware and is being used to quietly gain access to sensitive Indian systems.
DRAT V2 is developed using Delphi, unlike the previous .NET-based version. One of the most dangerous additions in DRAT V2 is a new function called exec_this_comm, which allows attackers to execute any shell command remotely. This means once the malware is inside a system, the hackers can do almost anything they want, including stealing files, collecting sensitive information, and maintaining long-term control.
To avoid detection, the malware uses Base64 encoding with junk prefixes to hide the IP addresses it communicates with. It also ensures that all its responses are in ASCII-only characters, which helps it blend in with normal-looking traffic. Even though DRAT V2 has these obfuscation techniques, it doesn’t include advanced anti-analysis features. That means it can still be detected by well-configured security tools that monitor for strange behavior.
The attack begins with a phishing email. The email contains a link that leads to a fake website which looks just like the official Indian Ministry of Defence portal. Once the victim clicks on the fake “March 2025 release” link, a harmful command is automatically copied to their clipboard. If they unknowingly paste and execute the command, it runs a script using mshta.exe. This script then installs a component called BroaderAspect, which delivers the DRAT V2 malware.
The BroaderAspect loader is also responsible for maintaining persistence. It modifies registry entries so that the malware stays active even after a system reboot. To avoid raising suspicion, these registry entries are disguised to look like PDF-related files. This method is effective because many users and even some security teams may overlook entries that appear harmless at first glance.
According to analysts from Recorded Future’s Insikt Group, TAG-140 has been active since at least 2019. The group is constantly improving its tools, and DRAT V2 is a strong example of how their methods are evolving. While the malware is technically simple in structure, it’s highly effective in doing what it was designed for, spying on and stealing data from critical organizations.
The sectors being targeted go beyond just defense and government. The campaign has also shown signs of interest in India’s oil and gas industries and the Ministry of External Affairs. This shows that the attackers are aiming to infiltrate a broad range of sensitive departments, likely to gather intelligence or disrupt operations.
Security experts have warned that although the malware lacks complex evasion tactics, its success lies in the clever use of social engineering and low-level tricks. The campaign relies heavily on fooling users into clicking links and executing commands themselves. This makes user awareness and cybersecurity training more important than ever.
To protect against DRAT V2, organizations are advised to monitor clipboard activity, network traffic, and registry changes. Detection rules using Snort, Sigma, or YARA can help identify BroaderAspect and DRAT V2 behaviors. Scanning for Base64-encoded outbound traffic and suspicious command execution can also be effective.
This campaign is a strong reminder that cyber threats continue to evolve, and attackers are constantly finding new ways to break into systems. TAG-140’s latest move proves how dangerous even simple malware can be when used strategically. India’s critical infrastructure needs to stay alert and adopt layered security measures to stay protected against such targeted attacks.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
