DRAT V2 is an updated variant of the DRAT remote access trojan (RAT) deployed by the threat actor group TAG-140, which overlaps with the SideCopy group. This malware is developed in Delphi and represents a significant evolution in TAG-140's toolkit, featuring enhanced command and control (C2) capabilities. Notably, DRAT V2 supports arbitrary shell command execution, allowing attackers to execute a wide range of commands on compromised systems, thereby increasing the scope of potential malicious activities. The malware also incorporates advanced C2 obfuscation techniques, making detection and attribution more difficult for defenders. The distribution method for DRAT V2 involves a social engineering attack modeled after the ClickFix style, leveraging a cloned Indian Ministry of Defence press portal to lure victims into executing the malware. This indicates a targeted campaign focusing on Indian government and defense sectors. The malware's tactics align with several MITRE ATT&CK techniques, including T1033 (System Owner/User Discovery), T1204.002 (User Execution: Malicious File), T1566.002 (Phishing: Spearphishing Link), T1071 (Application Layer Protocol), T1059 (Command and Scripting Interpreter), and T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder), among others. Indicators of compromise include multiple file hashes, IP addresses, and domains associated with the campaign. While no known exploits in the wild have been reported, the sophistication and targeted nature of DRAT V2 suggest a persistent threat actor refining their capabilities to maintain access and evade detection within high-value environments.

For European organizations, the direct impact of DRAT V2 is currently limited due to its targeting focus on Indian government and defense sectors. However, the enhanced capabilities of DRAT V2, such as arbitrary shell command execution and sophisticated C2 obfuscation, pose a potential risk if the malware or its variants spread beyond their initial targets. European entities involved in defense, government, or critical infrastructure that maintain partnerships or data exchanges with Indian counterparts could be at risk through supply chain or third-party compromise. The malware’s ability to execute arbitrary commands threatens confidentiality, integrity, and availability of affected systems, potentially leading to data exfiltration, espionage, or disruption of operations. The social engineering vector using a cloned official portal highlights the risk of targeted phishing campaigns that could be adapted to European contexts. Additionally, the use of Delphi as a development language and advanced obfuscation techniques complicates detection and response efforts, increasing dwell time and potential damage. While no widespread exploitation is reported, vigilance is necessary to prevent lateral spread or adaptation by other threat actors targeting European organizations.

Implement targeted phishing awareness training that includes scenarios involving cloned official government or defense portals to improve user recognition of social engineering attempts. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting anomalous command execution and obfuscated C2 communications, with custom rules tuned to identify Delphi-based malware behaviors. Monitor network traffic for suspicious connections to known malicious domains and IP addresses associated with DRAT V2, such as 'trade4wealth.in' and 'email.gov.in.drdosurvey.info', and block these at perimeter defenses. Conduct regular threat hunting exercises focusing on MITRE ATT&CK techniques used by DRAT V2, including T1059 (command execution) and T1547.001 (persistence mechanisms), to identify early signs of compromise. Apply strict application whitelisting policies to prevent execution of unauthorized binaries, especially those not digitally signed or originating from untrusted sources. Maintain up-to-date inventories of software and monitor for unusual Delphi-based executables, as this language is less common and may indicate malicious activity in certain environments. Establish incident response playbooks specifically addressing RAT infections with capabilities for rapid containment, forensic analysis, and eradication. Engage in information sharing with national cybersecurity centers and international partners to stay informed about emerging variants and indicators related to TAG-140 activities.