Skip to main content

DRAT V2: Updated DRAT Emerges in Arsenal

Medium
Published: Mon Jun 23 2025 (06/23/2025, 18:23:18 UTC)
Source: AlienVault OTX General

Description

TAG-140, a threat actor group overlapping with SideCopy, has deployed an updated version of their DRAT remote access trojan, dubbed DRAT V2. This new variant, developed in Delphi, introduces enhanced command and control capabilities, including arbitrary shell command execution and improved C2 obfuscation techniques. The malware was distributed through a ClickFix-style social engineering attack, using a cloned Indian Ministry of Defence press portal. DRAT V2 demonstrates TAG-140's ongoing refinement of their tooling and their continued focus on Indian government and defense targets.

AI-Powered Analysis

AILast updated: 06/24/2025, 14:24:42 UTC

Technical Analysis

DRAT V2 is an updated variant of the DRAT remote access trojan (RAT) deployed by the threat actor group TAG-140, which overlaps with the SideCopy group. This malware is developed in Delphi and represents a significant evolution in TAG-140's toolkit, featuring enhanced command and control (C2) capabilities. Notably, DRAT V2 supports arbitrary shell command execution, allowing attackers to execute a wide range of commands on compromised systems, thereby increasing the scope of potential malicious activities. The malware also incorporates advanced C2 obfuscation techniques, making detection and attribution more difficult for defenders. The distribution method for DRAT V2 involves a social engineering attack modeled after the ClickFix style, leveraging a cloned Indian Ministry of Defence press portal to lure victims into executing the malware. This indicates a targeted campaign focusing on Indian government and defense sectors. The malware's tactics align with several MITRE ATT&CK techniques, including T1033 (System Owner/User Discovery), T1204.002 (User Execution: Malicious File), T1566.002 (Phishing: Spearphishing Link), T1071 (Application Layer Protocol), T1059 (Command and Scripting Interpreter), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), among others. Indicators of compromise include multiple file hashes, IP addresses, and domains associated with the campaign. While no known exploits in the wild have been reported, the sophistication and targeted nature of DRAT V2 suggest a persistent threat actor refining their capabilities to maintain access and evade detection within high-value environments.

Potential Impact

For European organizations, the direct impact of DRAT V2 is currently limited due to its targeting focus on Indian government and defense sectors. However, the enhanced capabilities of DRAT V2, such as arbitrary shell command execution and sophisticated C2 obfuscation, pose a potential risk if the malware or its variants spread beyond their initial targets. European entities involved in defense, government, or critical infrastructure that maintain partnerships or data exchanges with Indian counterparts could be at risk through supply chain or third-party compromise. The malware’s ability to execute arbitrary commands threatens confidentiality, integrity, and availability of affected systems, potentially leading to data exfiltration, espionage, or disruption of operations. The social engineering vector using a cloned official portal highlights the risk of targeted phishing campaigns that could be adapted to European contexts. Additionally, the use of Delphi as a development language and advanced obfuscation techniques complicates detection and response efforts, increasing dwell time and potential damage. While no widespread exploitation is reported, vigilance is necessary to prevent lateral spread or adaptation by other threat actors targeting European organizations.

Mitigation Recommendations

Implement targeted phishing awareness training that includes scenarios involving cloned official government or defense portals to improve user recognition of social engineering attempts. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting anomalous command execution and obfuscated C2 communications, with custom rules tuned to identify Delphi-based malware behaviors. Monitor network traffic for suspicious connections to known malicious domains and IP addresses associated with DRAT V2, such as 'trade4wealth.in' and 'email.gov.in.drdosurvey.info', and block these at perimeter defenses. Conduct regular threat hunting exercises focusing on MITRE ATT&CK techniques used by DRAT V2, including T1059 (command execution) and T1547.001 (persistence mechanisms), to identify early signs of compromise. Apply strict application whitelisting policies to prevent execution of unauthorized binaries, especially those not digitally signed or originating from untrusted sources. Maintain up-to-date inventories of software and monitor for unusual Delphi-based executables, as this language is less common and may indicate malicious activity in certain environments. Establish incident response playbooks specifically addressing RAT infections with capabilities for rapid containment, forensic analysis, and eradication. Engage in information sharing with national cybersecurity centers and international partners to stay informed about emerging variants and indicators related to TAG-140 activities.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://go.recordedfuture.com/hubfs/reports/cta-2025-0623.pdf"]
Adversary
TAG-140
Pulse Id
68599b9609a7c9c2dd3baefa
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashff13b07eaabf984900e88657f5d193e6
hash42eb5f61005ba0761b86f1ff199181946ddfb14f
hash0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316
hash830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d
hashc328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60
hashc73d278f7c30f8394aeb2ecbf8f646f10dcff1c617e1583c127e70c871e6f8b7
hashce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802

Ip

ValueDescriptionCopy
ip154.38.175.83

Domain

ValueDescriptionCopy
domaintrade4wealth.in
domainemail.gov.in.drdosurvey.info

Threat ID: 685ab4fdaf41c610cd95c1c3

Added to database: 6/24/2025, 2:23:57 PM

Last enriched: 6/24/2025, 2:24:42 PM

Last updated: 8/18/2025, 9:24:53 PM

Views: 39

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats