Critical Indian sectors, such as government ministries, defence establishments, and rail infrastructure, have been the target of a sophisticated cyber-espionage operation. This campaign demonstrates how persistent advanced threat actors are changing their strategies to get around traditional security measures and obtain private information.
Researchers at Recorded Future’s Insikt Group have attributed the attacks to TAG-140, a group overlapping with the known adversary SideCopy, itself assessed as part of Transparent Tribe (APT36). Notably, this underscores how state-aligned clusters have become increasingly modular and adept at iterating their tools for specific targets.
Bluefire Redteam Insight:
This incident is emblematic of a broader trend: APTs are industrializing the development of interchangeable malware suites, refining their toolkits to blend into legitimate network traffic and thwart attribution. Organizations defending high-value data must prepare for a perpetual game of adaptation.
A Notable Shift in Malware Design
The most recent attack makes use of DRAT V2, an enhanced DRAT remote access trojan. DRAT V2 offers improved command-and-control capabilities and architectural changes over its predecessor, including dual ASCII/Unicode command input, support for arbitrary shell command execution, and more efficient obfuscation techniques to increase reliability.
The attackers crafted a cloned press release portal impersonating India’s Ministry of Defence, hosting malicious links that initiated infection. This infection chain follows a multi-step approach:
- Victims are tricked into pasting malicious commands into their own command shells.
- A loader (“BroaderAspect”) retrieves a decoy document and establishes persistence via Windows Registry changes.
- DRAT V2 is silently deployed from the attacker’s infrastructure.
DRAT V2’s modularity and dependability suggest a conscious trade-off: less code-level stealth in exchange for simpler deployment and command parsing, even though it lacks sophisticated anti-analysis techniques.
Bluefire Redteam;s Perspective:
For defenders, this serves as a cautionary tale: simplicity does not equate to low impact. Even moderately obfuscated payloads can wreak havoc if paired with strong social engineering and precise targeting.
A Growing Arsenal: From Ares RAT to DISGOMOJI
DRAT V2 deployment is a component of a larger escalation. APT36 disseminated Ares RAT, a tool that gives attackers total remote control, during the May 2025 India-Pakistan tensions. This tool makes it easier to spy on, exfiltrate data, and possibly sabotage vital services.
Recent campaigns have also delivered:
- DISGOMOJI, a Go-based malware using Google Cloud for command-and-control, signaling a pivot away from Discord-based infrastructure.
- Sophisticated phishing attacks, employing malicious PDFs disguised as legitimate purchase orders from India’s National Informatics Centre.
These changing campaigns demonstrate how APT36 can combine sophisticated payload delivery, cloud-based C2 communications, and traditional social engineering.
Emerging Threat: Confucius Unveils WooperStealer and Anondoor
Meanwhile, another threat group, Confucius, has been observed deploying a modular backdoor dubbed Anondoor alongside WooperStealer, an information stealer.
Using malicious LNK shortcuts and DLL side-loading, this operation demonstrates Confucius’s growing sophistication and ability to iterate quickly. The C# DLL backdoor evades sandbox detection and enables attackers to:
- Harvest credentials
- Execute arbitrary commands
- Capture screenshots
- Download and enumerate files
Bluefire Redteam Analysis:
This modular approach highlights a critical evolution: adversaries are assembling “plug-and-play” malware ecosystems, enabling tailored intrusion campaigns with minimal development time.
What This Means for Indian Organizations
These operations, which range from DRAT V2 to DISGOMOJI, demonstrate how APT actors are methodically focussing their sophisticated, tenacious campaigns on India’s strategic sectors. Critical infrastructure operators, defence ministries, and businesses handling sensitive data need to understand that:
- Human trust remains the weakest link. Social engineering, rather than purely technical exploits, is the preferred initial access vector.
- Modular malware is here to stay. Adversaries can swap out components on the fly to evade detection.
- Cloud infrastructure abuse will accelerate. Google Cloud, Discord, and other services are increasingly repurposed for covert C2.
Bluefire Redteam Takeaway
In an era where adversaries iterate faster than traditional security teams can respond, resilience demands more than patching. It requires:
- Continuous threat intelligence monitoring
- Proactive adversary emulation and Red Team exercises
- User awareness programs to counter sophisticated phishing
- Robust detection engineering to spot modular and living-off-the-land techniques
At Bluefire Redteam, we assist businesses in preventing these threats rather than just responding to them. Now is the time to reevaluate your preparedness if your environment deals with sensitive data or vital infrastructure.
Stay prepared. Stay resilient.
