Executive Summary

During an investigation into a recent TAG-140 campaign targeting Indian government organizations, Insikt Group identified a modified variant of the DRAT remote access trojan (RAT), which we designated as DRAT V2. TAG-140 has overlaps with SideCopy, an operational subgroup assessed to be a sub-cluster or operational affiliate of Transparent Tribe (also tracked as APT36, ProjectM, or MYTHIC LEOPARD). TAG-140 has consistently demonstrated iterative advancement and variety in its malware arsenal and delivery techniques. This latest campaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but notable shift in both malware architecture and command-and-control (C2) functionality.

The deployment of DRAT V2 reflects TAG-140’s ongoing refinement of its remote access tooling, transitioning from a .NET-based version of DRAT to a new Delphi-compiled variant. Both versions are among numerous RATs the group has leveraged, such as CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, and ReverseRAT, indicating a pattern of rotating malware use. DRAT V2 updates its custom TCP-based, server-initiated C2 protocol and expands functional capabilities, including arbitrary shell command execution and enhanced file system interaction.

Analysis of the infection chain indicates that initial access was achieved through a ClickFix-style social engineering lure. Victims were enticed to execute a malicious script via mshta.exe, which led to the execution of the BroaderAspect .NET loader, which has previously been used by TAG-140. BroaderAspect establishes persistence and subsequent DRAT V2 installation and execution.

Insikt Group attributes this activity to TAG-140 with moderate confidence based on domain overlap, malware lineage, and infrastructure characteristics. DRAT V2’s enhancements suggest a likely increase in TAG-140’s capacity for tailored post-exploitation and lateral movement across victim networks. As such, its emergence is a relevant indicator of the threat actor’s maturing tradecraft and strategic targeting of India’s defense and governmental institutions.

Key Findings

• DRAT V2 adds a new command (exec_this_comm) for arbitrary shell command execution, enhancing post-exploitation flexibility.
• The malware obfuscates its C2 IP addresses using Base64 encoding with prepended strings to hinder straightforward decoding.
• Compared to its predecessor, DRAT V2 reduces string obfuscation by keeping most command headers in plaintext, likely prioritizing parsing reliability over stealth.
• DRAT V2 updates its custom server-initiated TCP protocol to support commands input in both ASCII and Unicode, while responding in ASCII only.
• DRAT V2 lacks advanced anti-analysis techniques and relies on basic infection and persistence methods, making it detectable via static and behavioral analysis.

Background

TAG-140 is a threat actor group that overlaps with the publicly reported group Sidecopy, a suspected Pakistani state-aligned advanced persistent threat (APT) group assessed to be a sub-cluster or operational affiliate of Transparent Tribe (also tracked as APT36, ProjectM, or MYTHIC Leopard). Active since at least 2019, TAG-140 primarily targets Indian entities, with recent activity expanding beyond traditional government, defense, maritime, and academic sectors to now include organizations affiliated with the country’s railway, oil and gas, and external affairs ministries.

The group has demonstrated (1, 2, 3) a consistent evolution in its tradecraft: leveraging spearphishing campaigns, using HTML applications (HTAs) or Microsoft Installer (MSI) packages for distribution, exploiting software vulnerabilities (for example, WinRAR), and using many different RATs such as CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, ReverseRAT, and DRAT. Their infection chains commonly target both Windows and Linux environments.

Insikt Group analyzed artifacts from a recent ClickFix campaign spoofing the Indian Ministry, which we have attributed to TAG-140 threat actors. TAG-140 created a counterfeit website mimicking the Indian Ministry of Defence's official press release portal using the malicious domain email[.]gov[.]in[.]drdosurvey[.]info, which closely resembles the legitimate government website mod[.]gov[.]in (urlscan.io). The cloned website replicated the structure and layout of the authentic portal, listing press releases from September 2023 to April 2025. However, only the link for March 2025 was active.

Clicking the active March 2025 link triggered a ClickFix-style social engineering attack. Insikt Group conducted additional analysis of the TAG-140 Windows infection chain and determined it to be similar to an infection chain reported by Seqrite Labs in their research on TAG-140 activity, which was identified in late 2024. Our analysis of the infection chain (Figure 2) reveals that the final payload is a new Delphi-based variant of DRAT (referred to as DRAT V2). Previously, DRAT was developed in .NET and was first attributed to SideCopy activity in 2023. The updated variant includes new command functionality and a slightly modified C2 protocol.

1. The user is directed to the URL below (urlscan.io). While we do not know the delivery mechanism used, based on TAG-140’s tactics, techniques, and procedures (TTPs), this is likely delivered as a spearphishing email enticing the user to click on the link. The user is then lured to click on the “March 2025 Release” link. From a Windows machine, clicking on that link redirects the user to the uniform resource identifier (URI) /captcha/windows.php.

2. The redirected website (urlscan.io) displays the warning “**Disclosure - For Official Use Only (FOUO)**” and asks the user to click “continue.”

3. Clicking “continue” runs JavaScript that copies the malicious command below to the clipboard and directs the user to paste and execute it in a command shell. The command uses mshta.exe to fetch and run a remote script (index.php/sysinte.hta) from TAG-140’s infrastructure, _trade4wealth[.]in_.

4. Execution of index.php/sysinte.hta creates and executes the BroaderAspect loader, first reported on by Seqrite Labs. BroaderAspect performs the following actions:

a. Downloads and opens the decoy document survey.pdf from the following URL:

b. Creates and executes a Windows batch file named noway.bat, which contains a command that establishes persistence for DRAT v2 by adding a registry entry to a Microsoft-defined autostart location

c. Downloads and decompresses the DRAT V2 payload from the following URLs:

d. Executes DRAT V2 with the following command:

Insikt Group attributes this activity to TAG-140 with moderate confidence based on the following aspects:

1. The impersonation and targeting of Indian defense organizations, such as the Indian Ministry of Defense, aligns with known TAG-140 targets.
2. Use of BroaderAspect loader and DRAT (either variant), both of which seem to be exclusively used by TAG-140 (1, 2), aligns with TAG-140 TTPs.
3. The domain email[.]gov[.]in[.]drdosurvey[.]info overlaps with other APT36 attacks (1, 2) and uses Namecheap as its hosting provider. We have observed in multiple instances that TAG-140 commonly uses Namecheap, along with GoDaddy and Hostinger (1, 2, 3, 4).
4. In addition to DRAT V2, TAG-140 has previously used Delphi-based malware, such as the open-source AllaKore RAT.

Technical Analysis

DRAT V2 is a lightweight RAT developed in Delphi and represents an evolution of the earlier .NET-based variant first attributed to TAG-140 in 2023. DRAT V2 introduces several updates from its predecessor, including:

• An update to its custom TCP server-initiated C2 protocol
• Enhanced Base64 obfuscation of C2 infrastructure with added prepended strings
• Updated command headers and a new command for the execution of arbitrary Windows commands

A high-level overview of DRAT V2 is provided in Figure 3.

DRAT V2 supports a set of commands that allow TAG-140 operators to perform a wide range of interactions with compromised hosts. Upon establishing communication, the malware passively awaits instructions from the C2 server. Supported operations include system reconnaissance, such as collecting the username, operating system version, system time, and current working directory, as well as connectivity validation and enumeration of local file systems and directories.

Beyond reconnaissance, DRAT V2 facilitates more active engagement with the target environment. It enables file transfers in both directions between the host and the C2 infrastructure, allowing operators to upload additional payloads or exfiltrate data. Additionally, it supports the execution of local files and arbitrary Windows shell commands, returning the output to the C2. These functions provide TAG-140 with persistent, flexible control over the infected system and allow for both automated and interactive post-exploitation activity without requiring the deployment of auxiliary malware tools. Figure 4 provides a summary of DRAT V2’s capabilities.

DRAT V2 Commands

DRAT V2 continues its use of a command interface that is a custom TCP, text-based, server-initiated protocol to support remote control capabilities across a compromised host. Command execution, file manipulation, and system reconnaissance are enabled through a structured format.

The DRAT V2 command protocol is distinguished by the use of tilde (~) and pipe (|) characters as delimiters. Upon establishing connectivity with its C2 infrastructure, the malware enters a passive state, awaiting inbound instructions from the server. These instructions span nine discrete command types (Table 1), encompassing capabilities such as host reconnaissance, file management, and direct execution. Each command follows a deterministic format, allowing the operator to orchestrate post-compromise actions with consistency and low overhead.

Table 1: DRAT V2 commands (Source: Recorded Future)

This command set enables TAG-140 to support a range of post-exploitation objectives, including host reconnaissance, data staging, and potential lateral movement. Notably, DRAT V2 extends the functionality of its predecessor by incorporating support for arbitrary command execution. Appendix B provides detailed breakdowns of each command, including parameters.

Figure 5 shows an example of the C2 communication between an infected host and the C2. In this example, the C2 server sends the command exec_this_comm~whoami, which tells the infected host to execute the command whoami. The infected host then responds with the output of the command.

DRAT vs DRAT V2

This comparative analysis highlights the technical and operational differences between the original DRAT and DRAT V2. The shift in development platforms marks a significant architectural transition that affects how the malware is compiled, executed, and potentially detected. Although both variants maintain similar core functionalities as lightweight RATs, DRAT V2 introduces meaningful enhancements in its command structure, C2 obfuscation techniques, and communication protocol while also minimizing its use of string obfuscation. These adaptations likely reflect TAG-140’s continued efforts to evolve their tooling for improved evasion, modularity, and flexibility in post-exploitation operations.

Command Header Variation

While both DRAT variants implement similar commands for remote administration, each version uses distinct naming conventions for command headers. For instance, DRAT’s system information command is labeled getInformitica, whereas DRAT V2 uses initial_infotonas. DRAT V2 also introduced a new command, exec_this_comm, which enables arbitrary shell command execution on the infected host, an enhancement not present in the original DRAT and indicative of expanded post-exploitation capabilities. The below comparison table (Table 2) presents a detailed, line-by-line breakdown of request and response headers across both versions. In that table, command mappings highlighted in green denote commands that are functionally retained across both variants, while items highlighted in yellow represent new additions exclusive to DRAT V2.

Table 2: Command comparison between DRAT and DRAT V2 (Source: Recorded Future)

Text Format in C2 Communications

Both versions leverage text-based communication protocols for C2 interactions. However, they differ in encoding requirements: DRAT V2 accepts commands in both Unicode and ASCII, but always responds in ASCII, whereas the original DRAT mandates Unicode for both input and output (Figure 6).

Differences in System Information

The system information response of both versions includes many similarities, but several differences include the text in Unicode, different command request headers, and WinDefender instead of win-def, both of which are hard-coded. Finally, the format of the Windows version in the system information response varies between DRAT and DRATV2. DRAT simply returns the value from the registry key, Software\Microsoft\Windows NT\CurrentVersion\ProductName, while DRAT V2 gets the Windows version using the API call GetVersionExW() and returns a custom string that is Base64-encoded in the source code. Table 3 outlines the differences between the two commands.

Table 3: DRAT vs DRAT V2 system information request and response fields (Source: Recorded Future)

Differences in C2 Obfuscation

In both DRAT variants, the C2 information is Base64-encoded. DRAT encodes the C2 IP address directly, while DRAT V2 modifies its approach to C2 obfuscation by prepending one of the following strings to the IP address prior to Base64 encoding:

• <><><><><><><><><><><>
• XXXXXXXXXXXXXXXXXXXXXX

These prepended patterns likely serve as rudimentary integrity checks or help prevent trivial decoding by analysts and automated tools.

String Obfuscation

String obfuscation strategies also differ between the variants. DRAT employs a more extensive scheme, using a substitution algorithm to encode both commands and operational strings. DRAT V2, on the other hand, selectively obfuscates strings, such as Windows version and C2 information, but leaves command headers in plaintext. This limited obfuscation approach in DRAT V2 may represent a trade-off between stealth and parsing reliability.

Detections

Mitigations

• Block or monitor outbound TCP connections to uncommon destination ports used by DRAT V2 for C2 operations, such as 3232, 6372, and 7771. Monitor anomalous TCP traffic that does not match known protocols that target high-numbered ports.
• Inspect network traffic for outbound command responses and inbound shell command instructions (Appendix B) encoded in Base64, ASCII, or Unicode formats. Emphasize traffic decoding and inspection, especially over TCP sessions established to unusual ports.
• Use the detection rules in this report to identify DRAT V2 execution and persistence via registry run keys, file-based loaders, and encoded C2 patterns. Deploy custom YARA rules to detect both .NET and Delphi-compiled DRAT samples.
• Deploy detection logic to monitor , which invokes remote scripts or launches secondary payloads. This is a key component in the infection chain, where malicious HTA scripts fetch and launch DRAT loaders like BroaderAspect.
• Monitor registry modification events, particularly those involving HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. TAG-140 uses these for persistence by executing DRAT V2 via disguised filenames in C:\Users\Public</span>.

Outlook

TAG-140’s deployment of DRAT V2 is consistent with the group’s long-standing practice of maintaining a broad and interchangeable suite of remote access trojans. This continued diversification complicates attribution, detection, and monitoring activity. DRAT V2 appears to be another modular addition rather than a definitive evolution, reinforcing the likelihood that TAG-140 will persist in rotating RATs across campaigns to obscure signatures and maintain operational flexibility.

Despite these challenges, the DRAT V2 infection chain exhibits limited use of defensive evasion or anti-analysis techniques. The absence of code obfuscation, sandbox evasion, or complex loader behaviors increases the feasibility of early detection through basic telemetry and static analysis. Security teams should anticipate continued experimentation with malware tooling and infection chains. Monitoring for spearphishing infrastructure, loader reuse, and behavioral indicators, rather than specific malware families, will be critical in sustaining visibility into TAG-140 activity.

Appendix A: Indicators of Compromise

Appendix B: DRAT V2 Command Parameters and Response

System Information

The initial_infotonas command initiates system-level reconnaissance by requesting host environment details, including username, OS version, timestamp, and working directory. The response is structured across seven fields.

Echo/Connectivity Test

The sup command is used to verify active communication with the compromised host.

List Volumes

The lst_of_sys_drvs command allows DRAT V2 to enumerate accessible logical drives on the target machine.

List Directories with Attributes

The here_are_dir_details command retrieves structured metadata for directories and files, including name, size, timestamp, and path. Notably, the implementation contains a flaw where the full path concatenates improperly with subsequent entries, potentially impacting operator parsing.

File Size

The filina_for_down command is used to retrieve the byte size of a specified file.

File Upload

The file_upl~ command supports the transfer of files from the C2 to the target host. The command requires specification of both the file path and size, facilitating payload staging or deployment of secondary tools.

File Execution

The this_filina_exec command executes a specified file on the host system. This capability enables the delivery of additional payloads or the execution of existing binaries within the local file system.

File Download

The fil_down_confirmina command enables exfiltration of files from the victim system to the C2 server. Unlike other responses, there is no response header, and only the raw file contents are sent to the C2.

Command Execution

The exec_this_comm command permits arbitrary shell command execution on the infected host. This adds significant flexibility for interactive operations, enabling real-time tasking and on-demand post-exploitation activity.

To read the entire analysis, click here to download the report as a PDF.