![\"Indian](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8Sb0ZEzBOHNqmXKGHjCfv6Qsorn6Bjei9VQnaqQhtAJQ-fFaXXQmViZgMfmc8J1B8bCNQwsYT9twct0kyq6UlkToEiZOAtoWx_IyoPOZ5fIraoAJw9KZkY1lcZZV_aKCEHhs0p65ZsoRD4HSJanznNNjpfrOQ8Mja5jWoKEGz7eR6R62xPJLSLva4GrV3/s728-rw-e365/breach.jpg\" "\\"Indian")
A hacking group with connections other than Pakistan has been discovered targeting Indian government organizations with a modified variant of a remote access trojan (RAT) known as DRAT.
The activity has been linked by Recorded Future\’s Insikt Group to a threat actor identified as TAG-140, which overlaps with SideCopy, an adversarial collective believed to be an operational sub-cluster within Transparent Tribe (also known as APT-C-56, APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM).
Recorded Future stated in an analysis published last month that \”TAG-140 has consistently shown iterative advancement and diversity in its malware arsenal and delivery techniques.\”
\”This latest campaign, which impersonated the Indian Ministry of Defence through a cloned press release portal, represents a slight but significant shift in both malware architecture and command-and-control (C2) functionality.\”
The updated version of DRAT, named DRAT V2, is the newest addition to SideCopy\’s RAT arsenal, which also includes other tools like Action RAT, AllaKore RAT, Ares RAT, CurlBack RAT, ReverseRAT, Spark RAT, and Xeno RAT for infecting Windows and Linux systems.
The attack activity demonstrates the adversary\’s evolving strategies, showcasing its ability to refine and diversify a suite of RAT malware to steal sensitive data and complicate attribution, detection, and monitoring efforts.
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqWBWspV_tys9V1Uz2RuCO5KydF0tBCACYt7fD0wjqJ8M-x6kVHwS2bsjM38lb-C5YXjRUas6n6JPfJTlCuKv8PUadYC98D7qY7sgOj0dAFOTioWTOZJzxD4Oq-QqPJTMKpBQr3dw5TWS5GwYiAJRWPyN_cTSmJ-tJBSuAIEr6mn2a0ip4tU0CYAidk7Fy/s728-e100/audit-1-d.png\")
Attacks carried out by the threat actor have expanded their focus beyond government, defense, maritime, and academic sectors to include organizations associated with the country\’s railway, oil and gas, and external affairs ministries. The group has been active since at least 2019.
The infection process documented by Recorded Future utilizes a ClickFix-style approach to spoof the Indian Ministry of Defence\’s official press release portal and deliver a .NET-based version of DRAT to a new Delphi-compiled variant.
The fake website contains an active link that, when clicked, triggers an infection process that covertly copies a malicious command to the machine\’s clipboard and prompts the victim to paste and execute it by opening a command shell.
This action triggers the retrieval of an HTML Application (HTA) file from an external server (\”trade4wealth[.]in\”), which is then executed via mshta.exe to launch a loader named BroaderAspect. The loader is responsible for downloading and executing a decoy PDF, establishing persistence through Windows Registry changes, and downloading and running DRAT V2 from the same server.
DRAT V2 introduces a new command for executing arbitrary shell commands, enhancing its post-exploitation capabilities. It also obfuscates its C2 IP addresses using Base64 encoding and updates its custom server-initiated TCP protocol to support commands entered in both ASCII and Unicode. However, the server only responds in ASCII. The original DRAT required Unicode for both input and output.
\”In comparison to its predecessor, DRAT V2 reduces string obfuscation by keeping most command headers in plaintext, likely prioritizing parsing reliability over stealth,\” Recorded Future stated. \”DRAT V2 lacks advanced anti-analysis techniques and relies on basic infection and persistence methods, making it detectable through static and behavioral analysis.\”
Other known capabilities enable it to perform a wide range of actions on compromised hosts, including reconnaissance, uploading additional payloads, and exfiltrating data.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeoZ7rvFknUDST6JZKkScaB1b3YMUrT9Wf7voLGUPSwI_g46v_SWDsM_gRCiW8nSqffyiL58QVpDTw4EtItYDgyS_gDxE1jRQqHi1PqP5CvUWW8HJPceBZnXBTKXRKbsKSNqH0qUIm9SY5tHE6vXuXVDSjjMPGXZhFcLtPlY_cqKrnyG5Uv4g3BfE5jdom/s728-rw-e365/hta.jpg\")
\”These functions provide TAG-140 with persistent, flexible control over the infected system and allow for both automated and interactive post-exploitation activity without requiring the deployment of auxiliary malware tools,\” the company mentioned.
\”DRAT V2 appears to be another modular addition rather than a definitive evolution, reinforcing the likelihood that TAG-140 will persist in rotating RATs across campaigns to obscure signatures and maintain operational flexibility.\”
APT36 Campaigns Deliver Ares RAT and DISGOMOJI
State-sponsored threat activity and coordinated hacktivist operations from Pakistan intensified during the India-Pakistan conflict in May 2025, with APT36 using the events to distribute Ares RAT in attacks on defense, government, IT, healthcare, education, and telecom sectors.
\”By deploying tools like Ares RAT, attackers gained full remote access to infected systems – allowing for surveillance, data theft, and potential sabotage of critical services,\” Seqrite Labs observed in May 2025.
Recent APT36 campaigns have utilized carefully crafted phishing emails with malicious PDF attachments to target Indian defense personnel.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrhyphenhyphen_7vtcdxctvjcMNyrIvIYM11ImgKAe_3vb2YogQBCAlY-P2o9vDi5_A_UB_ng9mhqNGFjt5aUzQZtkX_AxCvivJ1SYwkNNt4BMkRM0XNNKlf_g1tZE9OqvgLjBt10UoF8ptouiItkytwESka0Tap5BvZZTRRCLeiuvfV6aWWqYIJDlFbkOR53I0XPk3/s728-rw-e365/cyber.png\")
The emails pretend to be purchase orders from the National Informatics Centre (NIC) and urge the recipients to click on a button within the PDF documents. This action leads to the download of an executable file that displays a PDF icon deceptively and uses the double extension format (e.g., *.pdf.exe) to appear legitimate to Windows users.
Aside from incorporating anti-debugging and anti-VM features to evade analysis, the binary is designed to launch a second-stage payload in memory that can gather files, log keystrokes, capture clipboard content, retrieve browser credentials, and communicate with a C2 server for data exfiltration and remote access.
\”APT36 presents a significant and continuous cyber threat to national security, particularly targeting Indian defense infrastructure,\” CYFIRMA stated. \”The group’s use of advanced phishing techniques and credential theft demonstrates the evolving sophistication of modern cyber espionage.\”
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi66iObr7p9zy3e8M1N9hqLD4wWGQXIJy4x4CEDn_zYHB9y1kvtZYJTPxqd9Tc1H9Np3aizgeSPJrXtXOhnsIwffNRh0-e2eZlWIaB8Z8p6xeK6xI3g09nTHiQR6OQbuZrLlLpIEdImtSs7kSrXowJcFNqv8o431bcaKPtRT2W3Dzk4aL30W9dVS-Lj03Ww/s728-e100/zz-2-d.jpg\")
Another campaign detailed by 360 Threat Intelligence Center has utilized a new variant of a Go-based malware known as DISGOMOJI in booby-trapped ZIP files distributed through phishing attacks. The malware, as reported by the Beijing-based cybersecurity company, is an ELF executable program written in Golang and uses Google Cloud for C2, moving away from Discord.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY6_jbFNz9r8A-U3sMc22j6jZVoZ7XMCBslyT4jP5pyogn0VAec08Woye_bCNnWnn3-8HiLsrjP_-sLDfoHmIHy34SlxCjefppOEnviKtw57hQqCGR5Kh14iPZFjujIHNeaDmWy0wltwT9C4TxA88dgdPbglPmj4Oi5UqQbXpvsmYf0wC7Rg59JV2sQkQz/s728-rw-e365/chinese.png\")
\”Moreover, browser theft plug-ins and remote management tools will be downloaded for further theft operations and remote control,\” it explained. \”The downloading function of the DISGOMOJI variant is similar to the previous version, but the previous one used the Discord server, while this version uses Google Cloud Service for communication.\”
Confucius Drops WooperStealer and Anondoor
As the cyber espionage actor known as Confucius has been associated with a new campaign deploying an information stealer called WooperStealer and a previously undocumented modular backdoor Anondoor.
Confucius is believed to be a threat group with objectives aligned with India. It has been active since at least 2013, targeting government and military units in South Asia and East Asia.
According to Seebug’s KnownSec 404 Team, the multi-stage attacks use Windows Shortcut (LNK) files to deliver Anondoor using DLL side-loading techniques, followed by the collection of system information and fetching of WooperStealer from a remote server.
The backdoor is feature-rich, allowing an attacker to issue commands for executing operations, capturing screenshots, downloading files, extracting passwords from the Chrome browser, and listing files and folders.
\”It has evolved from the previously revealed single espionage trojan for downloading and executing to a modular backdoor, demonstrating a relatively high level of technological iteration,\” KnownSec 404 Team stated. \”Its backdoor component is encapsulated in a C# DLL file and evaded sandbox detection by loading the specified method through invoke.\”
