DRAT V2: Updated DRAT Emerges in Arsenal
TAG-140, a threat actor group overlapping with SideCopy, has deployed an updated version of their DRAT remote access trojan, dubbed DRAT V2. This new variant, developed in Delphi, introduces enhanced command and control capabilities, including arbitrary shell command execution and improved C2 obfuscation techniques. The malware was distributed through a ClickFix-style social engineering attack, using a cloned Indian Ministry of Defence press portal. DRAT V2 demonstrates TAG-140's ongoing refinement of their tooling and their continued focus on Indian government and defense targets.
AI Analysis
Technical Summary
DRAT V2 is an updated variant of the DRAT remote access trojan (RAT) deployed by the threat actor group TAG-140, which overlaps with the SideCopy group. This malware is developed in Delphi and represents a significant evolution in TAG-140's toolkit, featuring enhanced command and control (C2) capabilities. Notably, DRAT V2 supports arbitrary shell command execution, allowing attackers to execute a wide range of commands on compromised systems, thereby increasing the scope of potential malicious activities. The malware also incorporates advanced C2 obfuscation techniques, making detection and attribution more difficult for defenders. The distribution method for DRAT V2 involves a social engineering attack modeled after the ClickFix style, leveraging a cloned Indian Ministry of Defence press portal to lure victims into executing the malware. This indicates a targeted campaign focusing on Indian government and defense sectors. The malware's tactics align with several MITRE ATT&CK techniques, including T1033 (System Owner/User Discovery), T1204.002 (User Execution: Malicious File), T1566.002 (Phishing: Spearphishing Link), T1071 (Application Layer Protocol), T1059 (Command and Scripting Interpreter), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), among others. Indicators of compromise include multiple file hashes, IP addresses, and domains associated with the campaign. While no known exploits in the wild have been reported, the sophistication and targeted nature of DRAT V2 suggest a persistent threat actor refining their capabilities to maintain access and evade detection within high-value environments.
Potential Impact
For European organizations, the direct impact of DRAT V2 is currently limited due to its targeting focus on Indian government and defense sectors. However, the enhanced capabilities of DRAT V2, such as arbitrary shell command execution and sophisticated C2 obfuscation, pose a potential risk if the malware or its variants spread beyond their initial targets. European entities involved in defense, government, or critical infrastructure that maintain partnerships or data exchanges with Indian counterparts could be at risk through supply chain or third-party compromise. The malware’s ability to execute arbitrary commands threatens confidentiality, integrity, and availability of affected systems, potentially leading to data exfiltration, espionage, or disruption of operations. The social engineering vector using a cloned official portal highlights the risk of targeted phishing campaigns that could be adapted to European contexts. Additionally, the use of Delphi as a development language and advanced obfuscation techniques complicates detection and response efforts, increasing dwell time and potential damage. While no widespread exploitation is reported, vigilance is necessary to prevent lateral spread or adaptation by other threat actors targeting European organizations.
Mitigation Recommendations
Implement targeted phishing awareness training that includes scenarios involving cloned official government or defense portals to improve user recognition of social engineering attempts. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting anomalous command execution and obfuscated C2 communications, with custom rules tuned to identify Delphi-based malware behaviors. Monitor network traffic for suspicious connections to known malicious domains and IP addresses associated with DRAT V2, such as 'trade4wealth.in' and 'email.gov.in.drdosurvey.info', and block these at perimeter defenses. Conduct regular threat hunting exercises focusing on MITRE ATT&CK techniques used by DRAT V2, including T1059 (command execution) and T1547.001 (persistence mechanisms), to identify early signs of compromise. Apply strict application whitelisting policies to prevent execution of unauthorized binaries, especially those not digitally signed or originating from untrusted sources. Maintain up-to-date inventories of software and monitor for unusual Delphi-based executables, as this language is less common and may indicate malicious activity in certain environments. Establish incident response playbooks specifically addressing RAT infections with capabilities for rapid containment, forensic analysis, and eradication. Engage in information sharing with national cybersecurity centers and international partners to stay informed about emerging variants and indicators related to TAG-140 activities.
Affected Countries
United Kingdom, Germany, France, Italy, Poland
Indicators of Compromise
- hash: ff13b07eaabf984900e88657f5d193e6
- hash: 42eb5f61005ba0761b86f1ff199181946ddfb14f
- hash: 0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316
- hash: 830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d
- hash: c328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60
- hash: c73d278f7c30f8394aeb2ecbf8f646f10dcff1c617e1583c127e70c871e6f8b7
- hash: ce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802
- ip: 154.38.175.83
- domain: trade4wealth.in
- domain: email.gov.in.drdosurvey.info
DRAT V2: Updated DRAT Emerges in Arsenal
Description
TAG-140, a threat actor group overlapping with SideCopy, has deployed an updated version of their DRAT remote access trojan, dubbed DRAT V2. This new variant, developed in Delphi, introduces enhanced command and control capabilities, including arbitrary shell command execution and improved C2 obfuscation techniques. The malware was distributed through a ClickFix-style social engineering attack, using a cloned Indian Ministry of Defence press portal. DRAT V2 demonstrates TAG-140's ongoing refinement of their tooling and their continued focus on Indian government and defense targets.
AI-Powered Analysis
Technical Analysis
DRAT V2 is an updated variant of the DRAT remote access trojan (RAT) deployed by the threat actor group TAG-140, which overlaps with the SideCopy group. This malware is developed in Delphi and represents a significant evolution in TAG-140's toolkit, featuring enhanced command and control (C2) capabilities. Notably, DRAT V2 supports arbitrary shell command execution, allowing attackers to execute a wide range of commands on compromised systems, thereby increasing the scope of potential malicious activities. The malware also incorporates advanced C2 obfuscation techniques, making detection and attribution more difficult for defenders. The distribution method for DRAT V2 involves a social engineering attack modeled after the ClickFix style, leveraging a cloned Indian Ministry of Defence press portal to lure victims into executing the malware. This indicates a targeted campaign focusing on Indian government and defense sectors. The malware's tactics align with several MITRE ATT&CK techniques, including T1033 (System Owner/User Discovery), T1204.002 (User Execution: Malicious File), T1566.002 (Phishing: Spearphishing Link), T1071 (Application Layer Protocol), T1059 (Command and Scripting Interpreter), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), among others. Indicators of compromise include multiple file hashes, IP addresses, and domains associated with the campaign. While no known exploits in the wild have been reported, the sophistication and targeted nature of DRAT V2 suggest a persistent threat actor refining their capabilities to maintain access and evade detection within high-value environments.
Potential Impact
For European organizations, the direct impact of DRAT V2 is currently limited due to its targeting focus on Indian government and defense sectors. However, the enhanced capabilities of DRAT V2, such as arbitrary shell command execution and sophisticated C2 obfuscation, pose a potential risk if the malware or its variants spread beyond their initial targets. European entities involved in defense, government, or critical infrastructure that maintain partnerships or data exchanges with Indian counterparts could be at risk through supply chain or third-party compromise. The malware’s ability to execute arbitrary commands threatens confidentiality, integrity, and availability of affected systems, potentially leading to data exfiltration, espionage, or disruption of operations. The social engineering vector using a cloned official portal highlights the risk of targeted phishing campaigns that could be adapted to European contexts. Additionally, the use of Delphi as a development language and advanced obfuscation techniques complicates detection and response efforts, increasing dwell time and potential damage. While no widespread exploitation is reported, vigilance is necessary to prevent lateral spread or adaptation by other threat actors targeting European organizations.
Mitigation Recommendations
Implement targeted phishing awareness training that includes scenarios involving cloned official government or defense portals to improve user recognition of social engineering attempts. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting anomalous command execution and obfuscated C2 communications, with custom rules tuned to identify Delphi-based malware behaviors. Monitor network traffic for suspicious connections to known malicious domains and IP addresses associated with DRAT V2, such as 'trade4wealth.in' and 'email.gov.in.drdosurvey.info', and block these at perimeter defenses. Conduct regular threat hunting exercises focusing on MITRE ATT&CK techniques used by DRAT V2, including T1059 (command execution) and T1547.001 (persistence mechanisms), to identify early signs of compromise. Apply strict application whitelisting policies to prevent execution of unauthorized binaries, especially those not digitally signed or originating from untrusted sources. Maintain up-to-date inventories of software and monitor for unusual Delphi-based executables, as this language is less common and may indicate malicious activity in certain environments. Establish incident response playbooks specifically addressing RAT infections with capabilities for rapid containment, forensic analysis, and eradication. Engage in information sharing with national cybersecurity centers and international partners to stay informed about emerging variants and indicators related to TAG-140 activities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://go.recordedfuture.com/hubfs/reports/cta-2025-0623.pdf"]
- Adversary
- TAG-140
- Pulse Id
- 68599b9609a7c9c2dd3baefa
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hashff13b07eaabf984900e88657f5d193e6 | — | |
hash42eb5f61005ba0761b86f1ff199181946ddfb14f | — | |
hash0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316 | — | |
hash830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d | — | |
hashc328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60 | — | |
hashc73d278f7c30f8394aeb2ecbf8f646f10dcff1c617e1583c127e70c871e6f8b7 | — | |
hashce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802 | — |
Ip
Value | Description | Copy |
---|---|---|
ip154.38.175.83 | — |
Domain
Value | Description | Copy |
---|---|---|
domaintrade4wealth.in | — | |
domainemail.gov.in.drdosurvey.info | — |
Threat ID: 685ab4fdaf41c610cd95c1c3
Added to database: 6/24/2025, 2:23:57 PM
Last enriched: 6/24/2025, 2:24:42 PM
Last updated: 8/18/2025, 9:24:53 PM
Views: 39
Related Threats
Fake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumSupply Chain Risk in Python: Termcolor and Colorama Explained
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumThreatFox IOCs for 2025-08-17
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.