TAG-140 - SparTech Software

TAG-140 is a cyber threat actor group that overlaps with the publicly reported SideCopy group, which is widely believed to be a Pakistani state-aligned advanced persistent threat (APT) group. SideCopy is itself considered a sub-cluster or operational affiliate of Transparent Tribe (also tracked as APT36, ProjectM, or MYTHIC LEOPARD).

Key Characteristics

• Attribution: TAG-140 is assessed as a sub-cluster or affiliate of Transparent Tribe (APT36), with strong links to SideCopy.
• Active Since: At least 2019.
• Primary Targets: Indian government organizations, defense, maritime, and academic sectors, with recent expansion into railway, oil and gas, and external affairs ministries.
• Geographic Focus: India is the primary target, reflecting geopolitical motivations.

Tactics, Techniques, and Procedures (TTPs)

TAG-140 frequently uses spearphishing campaigns, often leveraging social engineering lures that spoof Indian government entities. Recent campaigns have included cloned press release portals of the Indian Ministry of Defence.

Delivery Methods: The group employs HTML applications (HTAs), Microsoft Installer (MSI) packages, and exploits software vulnerabilities (such as WinRAR flaws) to deliver payloads. TAG-140 rotates a variety of remote access trojans (RATs) and custom malware, including:

DRAT (and DRAT V2)
CurlBack
SparkRAT
AresRAT
Xeno RAT
AllaKore
ReverseRAT

A typical infection involves a social engineering lure leading to execution of a malicious script (often via mshta.exe), which then launches a loader (such as BroaderAspect) that establishes persistence and deploys the final RAT payload.

TAG-140’s DRAT V2 malware upgrade offers a substantial improvement over its initial version.
The new DRAT V2 variant raises significant concerns due to its enhanced operational capabilities, evolved targeting strategy, and improved evasion techniques, which collectively increase its threat to critical infrastructure and national security. DRAT V2 is the latest variant of the DRAT (Delphi Remote Access Trojan) malware, recently identified in a TAG-140 campaign targeting Indian government and critical infrastructure organizations. TAG-140, linked to the SideCopy subgroup and Transparent Tribe (APT36), is known for its evolving and diverse malware arsenal.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Related