A hacking group with ties other than Pakistan has been found targeting Indian government organizations with a modified variant of a remote access trojan (RAT) called DRAT. The activity has been attributed by Recorded Future's Insikt Group to a threat actor tracked as TAG-140, which it said overlaps with SideCopy, an adversarial collective assessed to be an operational sub-cluster within Transparent Tribe (aka APT-C-56, APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and ProjectM). "TAG-140 has consistently demonstrated iterative advancement and variety in its malware arsenal and delivery techniques," the Mastercard-owned company said in an analysis published last month. "This latest campaign, which spoofed the Indian Ministry of Defence via a cloned press release portal, marks a slight but notable shift in both malware architecture and command-and-control (C2) functionality." The updated version of DRAT, called DRAT V2, is the latest addition to SideCopy's RAT arsenal, which also comprises other tools like Action RAT, AllaKore RAT, Ares RAT, CurlBack RAT, ReverseRAT, Spark RAT, and Xeno RAT to infect Windows and Linux systems. The attack activity demonstrates the adversary's evolving playbook, highlighting its ability to refine and diversify to an "interchangeable suite" of RAT malware to harvest sensitive data to complicate attribution, detection, and monitoring efforts.