The campaign represents a “slight but notable shift in both malware architecture and command-and-control functionality”, the researchers noted
A suspected Pakistani state-aligned hacking group has been observed targeting Indian government organisations in a new cyber espionage campaign that employs a modified version of the DRAT remote access Trojan (RAT), researchers from Recorded Future have revealed.
Dubbed TAG-140, the campaign is believed to overlap with SideCopy, a subgroup associated with Transparent Tribe — a long-standing advanced persistent threat (APT) group linked to Pakistan. According to Recorded Future’s Insikt Group, the threat actors used a cloned press release portal to impersonate India’s Ministry of Defence in a bid to distribute malware.
The campaign represents a “slight but notable shift in both malware architecture and command-and-control functionality”, the researchers noted. While Transparent Tribe has historically focused on the defence, academic, and maritime sectors, TAG-140 has broadened its scope to include organisations affiliated with India’s oil and gas, railway, and external affairs ministries.
The group’s latest tactic involves deploying DRAT Version 2 — a Delphi-compiled variant that replaces its previous .NET-based build. The update incorporates enhancements to its command-and-control (C2) capabilities and custom TCP-based communication protocols, expanding the Trojan’s functional scope.
DRAT V2 is one of several malware tools leveraged by the group, which also includes CurlBack, SparkRAT, AresRAT, AllaKore, Xeno RAT, and ReverseRAT. Once executed, the malware provides persistent access, allowing attackers to exfiltrate data, upload additional payloads, and perform reconnaissance without relying on auxiliary tools.
Initial access is suspected to be gained through spear-phishing emails in a social engineering technique likened to ClickFix. Victims were reportedly lured into executing a malicious script via mshta.exe, which led to the deployment of BroaderAspect — a known .NET loader previously linked to TAG-140. This component is responsible for establishing persistence and launching DRAT V2.
Despite its updated capabilities, researchers note that DRAT V2 relies on relatively basic infection and persistence mechanisms, which could make it vulnerable to static and behavioural detection methods.
Insikt Group stressed the importance of monitoring for infrastructure reuse and behavioural indicators, rather than relying solely on malware signatures, in order to maintain visibility into TAG-140’s evolving activity.
The findings add to growing concerns over state-backed cyber operations in South Asia, where geopolitical tensions continue to spill into the digital realm.
