A sophisticated cyber campaign linked to Pakistan has struck multiple Indian government departments. The attackers, identified as the group “TAG-140,” are using an upgraded remote access trojan (RAT) called DRAT V2. This new wave of attacks involves a cleverly cloned Indian Ministry of Defense website to trick officials into downloading the malicious software, signaling a significant escalation in cyber espionage efforts against India.
A Sophisticated Lure from a Familiar Face
The attack began with a meticulously cloned website of an Indian Ministry of Defense press portal. This fake site was used as bait in what security experts believe were highly targeted spearphishing emails. The goal was to trick government employees into clicking a link and unknowingly initiating a malware infection.
This operation is attributed to a group cybersecurity firm Recorded Future calls “TAG-140”. The group’s methods and tools show strong connections to SideCopy, which is widely considered an affiliate of Transparent Tribe, a well-known Pakistani state-aligned hacking collective.
This connection suggests the campaign is not a one-off attack but part of a larger, state-supported strategy with long-term intelligence-gathering objectives. The investment in upgrading their malware toolkit points to a persistent and evolving threat.
From a Single Click to Full System Control
The infection process is a multi-stage operation designed to be stealthy and effective. Once a victim is tricked by the fake website, a familiar but potent chain of events begins, leading to a full system compromise.
The attack unfolds in a clear sequence:
- A government employee receives a spearphishing email and clicks on a malicious link.
- The link executes a script using `mshta.exe`, a legitimate Windows utility, to avoid initial detection.
- This script downloads and runs a loader known as BroaderAspect, a tool previously used by TAG-140.
- The loader establishes persistence on the device before finally installing the main payload, DRAT V2.
The BroaderAspect loader is a key component. Its primary job is to ensure the malware survives system reboots and basic security scans, giving the attackers a stable foothold inside the compromised network.
Targets Expand Beyond Military to Critical Infrastructure
Historically, these Pakistani-linked groups focused on India’s defense, maritime, and academic sectors. However, this latest campaign reveals a significant and worrying expansion of their target list.
The new focus now includes critical non-military sectors vital to the country’s functioning. The list of new targets includes:
- India’s railway sector
- Oil and gas ministries
- The Ministry of External Affairs
This strategic shift suggests the attackers are no longer just seeking military secrets. They are now casting a wider net to gather intelligence on India’s infrastructure, energy security, and foreign policy, which poses a much broader national security risk.
DRAT V2: A Deadlier, Upgraded Spying Tool
At the heart of the attack is DRAT Version 2, a completely revamped version of the group’s custom RAT. The switch from the .NET framework to the Delphi programming language makes it harder for some security tools to detect and analyze.
The new version boasts several key improvements over its predecessor, enhancing its stealth and operational capabilities.
| Feature | DRAT (Old) | DRAT V2 (New) |
|---|---|---|
| Programming Language | .NET | Delphi |
| Command & Control | Basic TCP | Enhanced TCP Protocol |
| Data Exfiltration | Yes | More Efficient |
| Detection Avoidance | Low | Slightly Improved |
Despite these upgrades, the malware’s core infection methods remain relatively basic. Security analysts note that it is still detectable through careful behavioral monitoring. However, they warn that the real threat lies in the attackers’ persistence and their ability to continuously refine their tools and tactics.
