TAG-140 is a threat actor group that primarily targets Indian government entities, employing cyber espionage tactics such as phishing and malware campaigns. They have deployed a new variant of the DRAT RAT, known as DRAT V2, which utilizes a ClickFix lure and executes a remote script via mshta.exe to establish persistence and facilitate data exfiltration. Their operations include the use of the BroaderAspect loader and a custom TCP-based C2 protocol, enabling a range of post-exploitation activities. TAG-140's activities reflect a pattern of iterative advancement in their malware arsenal and delivery techniques, complicating detection and attribution efforts.