DRAT V2 Emerges: New Delphi-Compiled RAT Targets Indian Government with Expanded Post-Exploitation
Ddos 
DRAT V2 summary (Source: Recorded Future)
A new variant of the DRAT remote access trojan has emerged, signaling a continued evolution in TAG-140’s offensive cyber capabilities. Tracked by Recorded Future’s Insikt Group, DRAT V2 represents a tactical upgrade in a long-running campaign targeting Indian government entities. The new version, now compiled in Delphi, brings expanded post-exploitation functionality and refined command-and-control (C2) techniques.
“The deployment of DRAT V2 reflects TAG-140’s ongoing refinement of its remote access tooling,” the report states, “transitioning from a .NET-based version of DRAT to a new Delphi-compiled variant.”
TAG-140, which overlaps with the known APT group SideCopy, is assessed as a Pakistani state-aligned threat actor and an operational affiliate of Transparent Tribe (APT36). Active since at least 2019, the group has shifted focus from traditional targets to new sectors including railway, oil and gas, and external affairs ministries.
This campaign begins with a ClickFix-style social engineering lure, leveraging a cloned Indian Ministry of Defence portal hosted at email[.]gov[.]in[.]drdosurvey[.]info. Victims are tricked into executing malicious scripts that deliver the BroaderAspect loader, followed by DRAT V2.
“Clicking the active March 2025 link triggered a ClickFix-style social engineering attack,” with the infection chain culminating in a malicious registry run key disguised to execute DRAT V2 via a renamed .pdf file.
The latest version introduces arbitrary shell command execution, enabling greater flexibility for TAG-140’s operators.
“DRAT V2 adds a new command (exec_this_comm) for arbitrary shell command execution, enhancing post-exploitation flexibility.”
The malware uses a custom TCP, server-initiated protocol with command headers that are now mostly in plaintext. This suggests a design trade-off: better parsing at the expense of stealth.
The C2 infrastructure is obfuscated using Base64 encoding with prepended junk strings—such as <><><><><><><><><><><>—to hinder automated detection.
“DRAT V2 modifies its approach to C2 obfuscation by prepending one of the following strings to the IP address prior to Base64 encoding.”
Once connected to its C2, DRAT V2 awaits remote commands that allow operators to:
- Enumerate system info and directories
- Upload and download files
- Execute arbitrary shell commands
- Transfer and execute additional payloads
Each command uses a structured format and ASCII responses, such as: exec_this_comm~whoami.
While both versions serve similar goals, DRAT V2 reflects deeper modularity and operational refinement:
| Capability | DRAT | DRAT V2 |
|---|---|---|
| Command Execution | Not Present | exec_this_comm |
| Encoding Format | Unicode I/O | ASCII Output Only |
| System Info Command | getInformitica |
initial_infotonas |
| Development Language | .NET | Delphi |
| C2 Obfuscation | Base64 | Base64 + Junk Prefix |
“DRAT V2 supports a set of commands that allow TAG-140 operators to perform a wide range of interactions with compromised hosts.”
While DRAT V2 lacks advanced anti-analysis features, its tailored post-exploitation functionality and expanding target set demand close attention.
Related Posts:
- Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs
- StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader
- Transparent Tribe APT Group’s New Arsenal: Mythic Poseidon, Linux, and C2 Takedown
- Akira v2 Emerges: Rust-Based Ransomware Raises the Stakes
- SHOE RACK Malware: NCSC Uncovers Stealthy Reverse SSH & DoH Post-Exploitation Tool Targeting FortiGate Firewalls
Donate