DRAT V2 TAG-140 Bypasses Perimeter Defenses Using Social Engineering and mshta Execution

Threat Group: TAG-140 / SideCopy / Transparent Tribe (APT36)
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: None directly; leverages social engineering and user execution vectors
Malware Used: DRAT V2 (Delphi-compiled) with BroaderAspect.NET Loader
Threat Score: 🟠 Elevated (6.5/10) – Due to its attribution to a state-aligned APT group, arbitrary shell execution, and sophisticated persistence mechanisms
Last Threat Observation: 25 June 2025

Overview

DRAT V2 represents a significant evolution in the DRAT malware family, now definitively attributed to TAG-140, an APT cluster with operational links to Transparent Tribe (APT36). Active campaigns in June 2025 targeting Indian government bodies demonstrate the threat's strategic nature and its alignment with state-sponsored objectives. This Delphi-compiled version introduces enhanced capabilities, including shell command execution, persistence via registry manipulation, and deceptive C2 over TCP port 48 using custom protocols. Its delivery mechanism relies on "ClickFix" social engineering lures and the BroaderAspect.NET loader.

Key Details

Delivery Method: ClickFix-style social engineering, malicious scripts via mshta.exe, fake government domains
Target: Indian government entities and possibly critical infrastructure
Functions:

• Arbitrary shell command execution via exec_this_comm
• File system access and interaction
• Registry modification for persistence
• Command and Control over TCP port 48 using a custom protocol
• Deployment through the BroaderAspect.NET loader

Obfuscation: C2 IPs encoded in Base64 with prepended strings; command headers in plaintext to favor reliability; loopback connection denial to evade analysis.

Attack Vectors

DRAT V2 is deployed through carefully crafted counterfeit portals that mimic legitimate government domains. Victims are persuaded to run commands that execute payloads via mshta.exe, which leads to BroaderAspect.NET loader deployment and finally DRAT V2. The malware communicates over TCP port 48 using a custom C2 protocol, not Telnet as previously believed.

Known Indicators of Compromise (IoCs)

MD5 Hashes

• ff13b07eaabf984900e88657f5d193e6

SHA1 Hashes

• 42eb5f61005ba0761b86f1ff199181946ddfb14f

SHA256 Hashes

• 0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316
• 830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d
• c328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60
• c73d278f7c30f8394aeb2ecbf8f646f10dcff1c617e1583c127e70c871e6f8b7
• ce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802

IP Addresses

• 154[.]38[.]175[.]83

Domains

• trade4wealth[.]in

Hostnames

• email[.]gov[.]in[.]drdosurvey[.]info

Yara Rule (Hashes):

import "hash"

rule IoC_Detection_Jun23_2025
{
    meta:
        description = "Detects files with known malicious hashes from Jun 23, 2025"
        author = "ChatGPT"
        date = "2025-06-25"
        version = "1.2"

    condition:
        hash.md5(0, filesize) == "ff13b07eaabf984900e88657f5d193e6" or
        hash.sha1(0, filesize) == "42eb5f61005ba0761b86f1ff199181946ddfb14f" or
        hash.sha256(0, filesize) == "0d68012308ea41c6327eeb73eea33f4fb657c4ee051e0d40a3ef9fc8992ed316" or
        hash.sha256(0, filesize) == "830cd96aba6c328b1421bf64caa2b64f9e24d72c7118ff99d7ccac296e1bf13d" or
        hash.sha256(0, filesize) == "c328cec5d6062f200998b7680fab4ac311eafaf805ca43c487cda43498479e60" or
        hash.sha256(0, filesize) == "c73d278f7c30f8394aeb2ecbf8f646f10dcff1c617e1583c127e70c871e6f8b7" or
        hash.sha256(0, filesize) == "ce98542131598b7af5d8aa546efe8c33a9762fb70bff4574227ecaed7fff8802"
}

Mitigation and Prevention

User Awareness: Educate on advanced phishing and "ClickFix" deception techniques Email/Web Filtering: Block fake government domains, monitor DNS requests Endpoint Protection (EDR/XDR):

• Detect mshta.exe misuse
• Monitor DLL sideloading by BroaderAspect
• Flag registry modifications and unusual process activity Privilege Controls: Enforce least privilege, RBAC, and JIT access MFA: Apply across all privileged and remote access accounts FIM: Deploy File Integrity Monitoring on registry keys and system directories DPI: Enable deep packet inspection to detect TCP 48 command patterns Network Segmentation: Isolate critical infrastructure to reduce spread potential

Risk Assessment

DRAT V2's targeting of government infrastructure, use of deceptive social engineering, and robust remote control features elevate its risk profile. Though not exploiting software vulnerabilities, its persistence, modular execution, and state-level backing demand an incident response posture equal to APT threats.

Conclusion

DRAT V2 exemplifies the modern APT threat: stealthy, persistent, and deeply human-centric in its initial delivery. It signals a shift in TAG-140's operational sophistication, combining well-maintained infection chains with powerful post-compromise tooling. Security teams must urgently adapt by integrating advanced detection, network visibility, and behavioral response capabilities.

Sources:

• gbhackers.com - New DRAT V2 Update Enhances C2 Protocol with Shell Command Execution Capabilities
• Recorded Future - DRAT V2: Updated DRAT Emerges in TAG-140’s Arsenal
• Malware Gallery - DRAT 2.0
• OTX AlienVault - Indicators of Compromise