DRAT V2: Updated DRAT Emerges in Arsenal

June 24, 2025, 2:32 p.m.

Description

TAG-140, a threat actor group overlapping with SideCopy, has deployed an updated version of their DRAT remote access trojan, dubbed DRAT V2. This new variant, developed in Delphi, introduces enhanced command and control capabilities, including arbitrary shell command execution and improved C2 obfuscation techniques. The malware was distributed through a ClickFix-style social engineering attack, using a cloned Indian Ministry of Defence press portal. DRAT V2 demonstrates TAG-140's ongoing refinement of their tooling and their continued focus on Indian government and defense targets.

External References

https://go.recordedfuture.com/hubfs/reports/cta-2025-0623.pdf
https://otx.alienvault.com/pulse/68599b9609a7c9c2dd3baefa
Tags
india
remote access trojan
2025-06-23
delphi
drat
drat v2
c2 obfuscation
broaderaspect

Date

  • Created: June 23, 2025, 6:23 p.m.
  • Published: June 23, 2025, 6:23 p.m.
  • Modified: June 24, 2025, 2:32 p.m.

Indicators

  • ce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802
  • c73d278f7c30f8394aeb2ecbf8f646f10dcff1c617e1583c127e70c871e6f8b7
  • c328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60
  • 830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d
  • 0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316
  • 154.38.175.83
  • trade4wealth.in
  • email.gov.in.drdosurvey.info
Download all indicators here!

Attack Patterns

  • BroaderAspect
  • DRAT V2
  • TAG-140

Additional Informations

  • Defense
  • Government
  • British Indian Ocean Territory
  • India