A new cyber campaign, believed to be backed by Pakistan, has targeted several Indian government departments using a revamped version of a known malware tool, raising concerns among cybersecurity experts.
Security researchers have flagged the activity as part of a campaign they’ve dubbed “TAG-140”, linking it to a familiar adversary with known ties to Pakistan’s intelligence ecosystem. The attack used a newly compiled variant of the DRAT remote access Trojan (RAT), showcasing a more polished structure and expanded capabilities.
Hackers Spoof Indian Ministry Site in Fresh Cyber Lure
The attackers cloned a legitimate Indian Ministry of Defense press release portal, making it almost indistinguishable from the real thing. That fake site became the bait.
This tactic isn’t exactly new, but the execution here was sharp. It successfully tricked victims into downloading malicious scripts — the first step in compromising their devices.
And that was only the beginning.
TAG-140’s Evolution Hints at Long-Term Strategic Goals
TAG-140 isn’t some ragtag group of amateurs. According to researchers from Recorded Future’s Insikt Group, this operation bears the hallmarks of a sophisticated state-aligned threat actor.
They noted the group’s tactics are strongly aligned with SideCopy, which itself is seen as a close affiliate of Transparent Tribe — a Pakistani APT group that’s been active for years.
Now, here’s where it gets more interesting: TAG-140 didn’t just rehash old tools. It updated them. The transition from the old .NET-based DRAT to a new Delphi-compiled variant suggests more than just technical evolution. It reflects intent — and investment.
From Defense to Railways, the Attack Surface Is Widening
For years, Indian military, maritime, and academic entities were the main targets. That focus just shifted.
The campaign has now expanded to include:
-
India’s railway sector
-
Oil and gas ministries
-
The Ministry of External Affairs
This widening scope is not accidental. It’s strategic. It indicates that TAG-140 is no longer just fishing for defense data but is casting a wider net into areas tied to infrastructure, energy, and foreign policy.
DRAT Version 2: Same Goals, Smarter Execution
At the core of this campaign is DRAT Version 2 — an upgraded RAT that does a lot more than its predecessor. It’s compiled in Delphi now, not .NET. That alone changes how it behaves and how hard it is to detect.
The researchers also pointed out some subtle but impactful technical changes. The new variant supports a revamped TCP-based command-and-control system, allowing attackers more granular and stealthy access.
And while DRAT V2 is slicker, it still uses some pretty basic infection methods. For instance, it relies on mshta.exe — a common Windows utility — to kick things off.
Behind the Scenes: A Familiar Loader Returns
Once the fake press release page pulled in its victim, the malware didn’t immediately unleash DRAT. Instead, it first used a tool called BroaderAspect — a .NET-based loader that’s already appeared in previous TAG-140 operations.
Here’s a quick breakdown of how the infection unfolded:
-
User clicks link from phishing email (likely spearphishing)
-
Malicious script runs via
mshta.exe -
BroaderAspect loader gets executed
-
DRAT V2 is installed and quietly begins its job
That loader is critical. It lays the groundwork by creating persistence, ensuring the RAT isn’t kicked out by a simple reboot or basic antivirus cleanup.
A Look Under the Hood: What DRAT V2 Can Do
So, what can DRAT V2 actually do? A lot more than before.
Here’s a side-by-side comparison of old DRAT versus the new V2 variant:
| Feature | DRAT (Old) | DRAT V2 (New) |
|---|---|---|
| Programming Language | .NET | Delphi |
| Command & Control | Basic TCP | Enhanced TCP Protocol |
| Payload Deployment | Limited | Supports More Types |
| Persistence Methods | Basic (Same) | Basic (Same) |
| Detection Avoidance | Low | Slightly Improved |
| Data Exfiltration | Yes | More Efficient |
| Post-Exploitation Control | Manual | Automated + Manual |
And yes, the malware can exfiltrate files, upload new payloads, and scan the infected device. It’s not fancy, but it’s thorough.
Social Engineering Remains the Weak Spot
Despite all the tech upgrades, one thing hasn’t changed: human error.
TAG-140 got in through social engineering. The likely scenario? A crafted spearphishing email lands in an inbox, mimicking official government correspondence. Someone clicks, and the door swings open.
That tactic — what Insikt Group calls “ClickFix-style” — has worked before. And unfortunately, it still does.
Detection Still Possible, But Analysts Warn of Long-Term Risks
DRAT V2 isn’t invisible. In fact, researchers said its infection and persistence techniques are fairly standard — detectable through static and behavioral analysis.
But that doesn’t mean defenders can relax. Because the threat isn’t just about the malware itself. It’s about the infrastructure around it.
Experts suggest watching for:
-
Spearphishing infrastructure reuse
-
Recurring loader patterns (like BroaderAspect)
-
Behavioral indicators instead of just malware signatures
These patterns are harder to clean up than code. They show how persistent — and resourceful — TAG-140 has become.
