Listen to this Post
A New Chapter in
A new and alarming chapter has emerged in
DRAT V2 introduces several notable improvements, including a shift from .NET to Delphi compilation, enhanced command-and-control (C2) capabilities, and a broader set of malicious commands. These refinements mark a shift toward more modular, real-time espionage tools with precision targeting. The malware is distributed using the BroaderAspect loader, which has been previously tied to the same threat actor. Once installed, DRAT V2 gives the attackers powerful tools to execute system commands, manage files, and perform reconnaissance—allowing full control over infected machines.
Interestingly, while DRAT V2 boasts a more advanced architecture and supports Unicode commands, it avoids sophisticated obfuscation and anti-analysis measures. This makes it more detectable through behavioral monitoring, though the Base64-encoded C2 addresses add a layer of obfuscation. Cybersecurity experts believe this evolution shows the group’s commitment to refining their tactics, especially in targeting critical Indian institutions.
DRAT V2’s Evolution and Functionality
DRAT V2 represents a strategic leap for TAG-140 in terms of operational complexity and stealth. Its transition to Delphi signifies an intentional move to complicate reverse engineering and diversify malware detection evasion strategies. Compared to its older .NET counterpart, this version offers a more streamlined and modular design.
Once a target opens the malicious script disguised as a government notice, the BroaderAspect loader activates, achieving persistence in the system and deploying the new DRAT V2 payload. From there, DRAT V2 facilitates real-time interaction with compromised machines, allowing the attackers to execute arbitrary shell commands, retrieve output, transfer files, and probe systems extensively.
A key highlight of DRAT V2 is its revamped C2 protocol, which uses tilde (\~) and pipe (|) delimiters for structure. It supports both ASCII and Unicode input, making the malware more adaptable. These features make lateral movement and data staging easier for attackers while maintaining a steady foothold within sensitive environments.
However, despite its upgrades, DRAT V2 does not include any complex anti-debugging or sandbox-evasion routines. That means it remains vulnerable to detection if organizations implement behavioral detection methods. Network anomalies, persistent registry entries, and unrecognized TCP ports (like 3232, 6372, 7771) are indicators defenders can monitor.
Security analysts stress the importance of moving beyond signature-based detection. The ever-evolving nature of APT36’s arsenal—including tools like CurlBack, SparkRAT, and ReverseRAT—requires a dynamic and proactive cybersecurity posture. DRAT V2 is just one of many tools used by this adversary, and its modular structure hints at further evolutions on the horizon.
What Undercode Say:
A Tactical Pivot by TAG-140
The unveiling of DRAT V2 reflects a larger strategy by TAG-140 and its parent APT36 group to stay one step ahead of traditional cyber defenses. The shift from .NET to Delphi not only complicates reverse engineering efforts but signals a calculated move to diversify the malware’s ecosystem. Delphi-compiled malware is relatively uncommon in the current threat landscape, making it more elusive for detection engines trained on mainstream malware patterns.
Real-Time Control and Post-Exploitation Excellence
With the addition of real-time shell execution and command output retrieval, DRAT V2 equips its operators with on-demand control over infected systems. This isn’t just a surveillance tool—it’s an active post-exploitation platform that empowers attackers to adapt their tactics mid-operation. The exec_this_comm command encapsulates this shift: attackers no longer need to deploy new tools when they can simply interact with the shell directly.
Simplified Obfuscation with a Twist
Interestingly, DRAT V2 moves away from complex string obfuscation seen in earlier variants, which at first glance appears to reduce its stealth. However, it offsets this simplicity by encoding its C2 infrastructure using Base64 with prepended strings. This subtle shift hampers straightforward IOC detection via signature-based methods, while still allowing efficient command parsing on the attacker’s end.
Persistence without Complexity
The lack of advanced anti-analysis measures may seem like a vulnerability, but it also reflects a calculated trade-off. By keeping its persistence and infection routines basic, DRAT V2 minimizes its attack surface and avoids triggering sophisticated sandbox defenses. It relies instead on clever distribution (social engineering and spoofed portals) and operational tempo to outrun detection.
Infrastructure Spoofing and Social Engineering
The
The Broader Threat Landscape
APT36, and by extension TAG-140, has been one of the most consistent threat actors in targeting India. Their shifting toolset—including DRAT V2—reflects persistent targeting of national infrastructure and defense sectors. As geopolitical tensions evolve, especially in South Asia, the likelihood of further advanced malware variants emerging from this group is high.
Recommendations for Defenders
Organizations should pivot toward anomaly detection and behavioral analytics. Static rules are insufficient against adversaries who rotate tools and obfuscate IOCs. Monitoring unknown registry changes, outbound traffic to rare ports, and real-time shell activity can provide early warning signs.
Moreover, defenders must watch for signs of modular expansion, as DRAT V2’s structure supports future plug-ins or payloads. This malware is designed for longevity and scalability, not just a single campaign.
🔍 Fact Checker Results:
✅ DRAT V2 is Delphi-compiled, replacing the original .NET architecture
✅ Its C2 uses Base64 obfuscation and supports Unicode and ASCII inputs
❌ DRAT V2 does not include advanced anti-analysis or evasion features
📊 Prediction:
DRAT V2 marks the beginning of a modular malware family that is likely to evolve with time. Expect future variants with plugin-based architecture, expanded evasion tactics, and deeper integration with AI-driven command automation. Given the frequency of APT36 operations, Indian government institutions will remain high-priority targets, and DRAT V2 may be just the precursor to a more resilient cyber-espionage ecosystem. 🧠💣🛡️
References:
Reported By: cyberpress.org
Extra Source Hub:
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
