Pakistan-Aligned APT36 Unleashes DRAT V2: New Delphi RAT Targets Indian Government
A hacker group with affiliations beyond Pakistan has once again drawn attention following its attacks on Indian government entities. According to researchers at Recorded Future, the activity is attributed to the cyber threat group TAG-140, which is believed to intersect with the notorious SideCopy collective—part of the broader operation known as Transparent Tribe (also referred to as APT-C-56, APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM).
Experts note that TAG-140 continues to refine its tools and malware delivery techniques. Its most recent campaign showcases changes both in the architecture of the malicious software and in the command-and-control infrastructure. Notably, the threat actors mimicked the official website of India’s Ministry of Defence, crafting a counterfeit portal complete with fabricated press releases.
At the heart of this campaign is an enhanced variant of the remote access trojan DRAT, now dubbed DRAT V2. This tool adds to the growing SideCopy arsenal, which includes malware such as Action RAT, AllaKore RAT, Ares RAT, CurlBack RAT, ReverseRAT, Spark RAT, and Xeno RAT—all geared toward compromising Windows and Linux systems.
The latest version of DRAT highlights the attackers’ intent to diversify and enhance their toolkit, creating what analysts call a “modular suite” of interchangeable trojans. This strategy not only facilitates the theft of sensitive data but also complicates efforts to trace and identify the perpetrators.
According to Recorded Future, TAG-140’s operations have expanded beyond conventional targets such as governmental bodies, defense sectors, maritime organizations, and academic institutions. The group’s focus now also encompasses industries like railway infrastructure, oil and gas, and India’s Ministry of External Affairs. These campaigns trace back to at least 2019.
The attack sequence typically begins with a ClickFix scheme—users are lured to a counterfeit website that mirrors the official portal of India’s Ministry of Defence. There, a malicious command is disguised as a legitimate link. Victims are then persuaded to copy and execute the command in the Windows command line manually.
This command initiates the download of an HTML Application (HTA) file from an external domain, “trade4wealth[.]in.” It is executed via the native Windows utility mshta.exe
. Once launched, a helper tool named BroaderAspect installs persistence mechanisms by modifying registry keys, displaying a decoy PDF file, and finally retrieving the DRAT V2 payload.
DRAT V2 introduces several enhancements. It enables arbitrary command execution via the command line, broadening the attacker’s post-compromise capabilities. The malware’s command-and-control infrastructure now employs Base64-encoded IP addresses to obscure its servers. Additionally, its communication protocol has been refined: while the previous version relied exclusively on Unicode for both sending and receiving commands, the new version supports command inputs in ASCII and Unicode, with responses returned solely in ASCII.
Analysts observe that DRAT V2 has adopted a simpler obfuscation strategy. Many command headers are now left unencrypted, which may contribute to greater operational stability but also makes the malware more susceptible to static and behavioral analysis. Despite lacking advanced anti-detection mechanisms, DRAT V2 remains dangerous due to its ability to conduct reconnaissance, deploy additional malicious modules, and exfiltrate data.
According to Recorded Future, the emergence of DRAT V2 does not signify a radical technological leap, but rather a steady evolution of TAG-140’s arsenal. This incremental development allows the group to routinely rotate its malware toolkit, thereby hindering detection efforts and affording tactical flexibility during operations.