DRAT

DRAT is a remote access trojan (RAT) used in campaigns attributed by Recorded Future’s Insikt Group to TAG-140, an activity cluster assessed to overlap with SideCopy, an operational subgroup or affiliate of Transparent Tribe, a suspected Pakistani state-aligned APT. In the reported campaign, TAG-140 targeted Indian government organizations and also entities associated with India’s railway, oil and gas, and external affairs ministries, with researchers noting expansion beyond government, defense, maritime, and academic sectors. The intrusion chain used a spoofed Indian Ministry of Defense press release portal and a ClickFix-style social engineering lure, with suspected spear-phishing used for delivery. Victims were induced to execute a malicious script via mshta.exe, which launched the BroaderAspect .NET loader; BroaderAspect then established persistence and installed and executed DRAT V2. DRAT V2 reflects a transition from an earlier .NET-based DRAT to a Delphi-compiled variant. The newer version uses an updated custom TCP-based, server-initiated command-and-control protocol and provides expanded capabilities including data exfiltration, payload upload, and reconnaissance. Researchers stated these functions support persistent and flexible control as well as automated and interactive post-exploitation without auxiliary tools. The malware reportedly uses basic infection and persistence methods and is detectable through static and behavioral analysis. High-confidence behavioral indicators from the reporting include execution via mshta.exe, use of the BroaderAspect loader, spoofed Ministry of Defense infrastructure, and deployment of DRAT V2 in TAG-140 operations.