Unveiling DRAT V2 – Enhanced C2 Protocol & Shell Command Execution Now Enabled

In a recent cybersecurity landscape alert, threat actors identified with the TAG-140 group, a cluster previously linked to notorious groups including SideCopy and Transparent Tribe (APT36, MYTHIC LEOPARD), have been detected deploying an upgraded version of the DRAT remote access trojan (RAT), now dubbed DRAT V2.

This new variant signals a marked escalation in the group’s technical capabilities, particularly in command and control (C2) communication and post-exploitation flexibility.

Technical Evolution: From .NET to Delphi

The leap from the original DRAT, a . NET-based tool, to the Delphi-compiled DRAT V2 represents a significant architectural shift for TAG-140.

The group, known for its modular malware toolset which includes CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, and ReverseRAT, has consistently rotated between different remote access trojans to evade detection and maintain operational longevity.

However, DRAT V2 introduces new, more refined functionality: a custom TCP-based, server-initiated C2 protocol, and notably, a new command—exec_this_comm—that enables the arbitrary execution of shell commands on infected Windows hosts.

This dramatically expands the operator’s ability to manipulate and move laterally within victim networks.

How DRAT V2 Infiltrates Systems

Initial access follows TAG-140’s well-documented social engineering tactics. In a recent campaign, a cloned Indian Ministry of Defence press release portal was used as the lure.

A ClickFix-style attack directed victims to execute a script via mshta.exe, ultimately launching the BroaderAspect NET loader previously linked to TAG-140. BroaderAspect establishes persistence and then installs and executes DRAT V2, often from disguised files or registry entries within public folders like C:\Users\Public\USOShared-*.

The final payload, DRAT V2, distinguishes itself by accepting both ASCII and Unicode input in its command protocol, though it responds exclusively in ASCII.

Its C2 infrastructure addresses are obfuscated with Base64 encoding and prepended strings, a technique designed to complicate straightforward detection by analysts.

C2 Protocol: Commands That Enable Broad Control

DRAT V2’s C2 protocol enables a broad array of interactions, including:

• Host reconnaissance (collecting usernames, OS version, system time, working directory)
• Volume and file enumeration (list drives, directories, and files, retrieve file size, upload/download files)
• File execution (local binaries, payloads)
• Arbitrary shell command execution (exec_this_comm), which returns output to the C2 operator, enabling real-time tasking and flexible post-exploitation.

A unique feature is the use of tilde (~) and pipe (|) characters as command delimiters, ensuring structured, deterministic control. Unlike its predecessor, DRAT V2 reduces string obfuscation for command headers, prioritizing parsing reliability over stealth a trade-off that could aid analysts and defenders in early detection.

Outlook and Threat Assessment

Despite its enhanced features, DRAT V2 displays limited anti-analysis and evasion techniques. Its reliance on basic persistence and straightforward execution paths makes it detectable via static and behavioral analysis tools such as YARA and Snort.

Network-based detection can focus on anomalous TCP traffic, especially to high-numbered ports (3232, 6372, 7771), and registry modifications in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

TAG-140’s adoption of DRAT V2 underscores the group’s unwavering commitment to evolving its arsenal.

Security teams are advised to monitor for spearphishing lures, loader reuse, and new behavioral indicators, particularly those involving arbitrary shell command execution and unconventional command-and-control (C2) protocols.

With threat actors increasingly leveraging modular, interchangeable RATs, a focus on behavioral rather than signature-based detection will remain critical for robust defense against TAG-140 and similar advanced persistent threats.

Appendix A: Indicators of Compromise