Listen to this Post
Cyber Espionage Campaign Takes a Dangerous Turn
A new cyber espionage campaign has been uncovered, revealing an alarming escalation in cross-border digital warfare. A threat group, believed to be linked to Pakistan, is targeting Indian government agencies using an upgraded variant of a remote access trojan (RAT) known as DRAT. This sophisticated attack is being carried out by TAG-140, a subgroup associated with the notorious SideCopy collectiveâbelieved to be a subset of the Transparent Tribe (APT36).
Overview of the Operation: A Tactical Malware Evolution
The operation begins with the impersonation of Indiaâs Ministry of Defence through a cloned press release portal. This phishing tactic tricks unsuspecting users into initiating an infection sequence. A single active link on the fake site triggers a script that leads to the download of an HTA file via mshta.exe. This file activates a loader named BroaderAspect, which then downloads and launches DRAT V2 from an external server (“trade4wealth[.]in”).
DRAT V2 boasts expanded capabilities, including arbitrary shell command execution and support for both ASCII and Unicode input (though it only responds in ASCII). The malware reduces string obfuscation to favor reliable command parsing, and while it lacks sophisticated anti-analysis features, it still manages to evade detection using basic persistence and execution tactics.
This latest campaign also integrates other RATs used by SideCopy, including Action RAT, AllaKore RAT, Ares RAT, CurlBack RAT, ReverseRAT, Spark RAT, and Xeno RAT. These tools are deployed interchangeably across platforms like Windows and Linux, enabling extensive data exfiltration, reconnaissance, and long-term persistence.
The attack spectrum has widened from traditional targets in defense and academia to include railway, oil and gas, and external affairs ministriesâshowing a clear expansion of strategic objectives.
Notably, the campaign is not limited to DRAT alone. In the aftermath of the May 2025 India-Pakistan conflict, APT36 deployed Ares RAT to exploit tensions. Phishing emails disguised as official purchase orders from the National Informatics Centre lured victims into downloading malware hidden behind a double extension file (e.g., â.pdf.exeâ). This enabled attackers to record keystrokes, steal browser credentials, and gain remote access to infected systems.
Adding to the threat landscape, the 360 Threat Intelligence Center identified DISGOMOJI, a Go-based malware now using Google Cloud services instead of Discord for command and controlâa strategic shift in infrastructure.
Meanwhile, Confucius, a group allegedly aligned with Indian interests, is actively deploying a modular backdoor called Anondoor and an information stealer named WooperStealer. These campaigns use LNK files and DLL side-loading to evade sandbox detection, collecting system data and enabling extensive remote operations.
What Undercode Say: đ§
Growing Complexity in Cyber Threat Ecosystems
The nature of these campaigns reveals a chilling truth: cyber warfare between nation-states is no longer just hypotheticalâit’s active and intensifying. The tactical use of DRAT V2 showcases how adversaries are fine-tuning their malware for enhanced operational control. By minimizing string obfuscation and expanding C2 support, TAG-140 isnât just launching an attackâitâs optimizing malware architecture for long-term persistence.
Expanded Targeting Indicates Strategic Escalation
Previously, attacks were confined to military and government sectors. Now, with railway, oil and gas, and diplomatic entities in the crosshairs, the objectives are becoming broader, possibly aiming to destabilize critical infrastructure and exert political pressure.
Modular Design Enhances Operational Flexibility
Both DRAT V2 and Ares RAT underline a move toward modular, adaptable malware. These tools can be swapped or updated mid-campaign, allowing adversaries to change TTPs (tactics, techniques, and procedures) quickly. This makes threat attribution harder and aids in evasion of traditional detection systems.
Rise of Sophisticated Phishing Infrastructure
Social engineering plays a pivotal role in these attacks. Fake portals, PDF lures, and cleverly disguised executables reveal a highly coordinated phishing infrastructure, not amateur operations. It’s a reflection of nation-state-level funding and expertise.
Cross-Platform and Cross-Tool Integration
From Windows to Linux, attackers are ensuring malware compatibility across operating systems. Whether using Delphi, .NET, Go (Golang), or C, each tool serves a precise functionâexfiltrate data, persist access, or execute remote instructions. This modularity also includes plug-ins for stealing browser credentials, clipboard data, and file enumeration.
Adversarial Tactics Are Iterative
The fact that DRAT V2 is described as a modular addition and not a complete overhaul means TAG-140 is choosing agility over complexity. This iteration strategy enables rapid deployment and testing of features in live environmentsâsomething only mature cyber units tend to practice.
Confucius Adds Another Layer of Complexity
While Pakistan-linked APTs aim at Indian entities, groups like Confucius are running parallel campaigns likely to counteract or collect intelligence from adversarial regions. This dual presence of offensive and defensive espionage activities adds another dimension to the South Asian cyber conflict.
â Fact Checker Results
Claim: TAG-140 is linked to SideCopy and Transparent Tribe.
â Verified by Recorded Future and cybersecurity researchers.
Claim: DRAT V2 uses Google Cloud for communication.
â Incorrect â DRAT V2 uses traditional C2; DISGOMOJI is the one using Google Cloud.
Claim: Confucius aligns with Indian objectives.
â Confirmed by reports from Seebugâs KnownSec 404 Team.
đŽ Prediction
Given the increasing modularity, broader target profiles, and adaptive phishing tactics, we can expect more attacks from TAG-140 and APT36 to intensify in the coming months. The strategic use of overlapping malware tools and cross-platform support indicates these groups are not just experimentingâthey’re operationalizing persistent cyber espionage. Defensive frameworks in South Asia must prepare for stealthier campaigns, hybrid malware, and coordinated attacks on both government and private sectors.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
