
TAG‑140 Phishing Campaign Targets Indian Government via IoT Devices
08 Jul 2025
In early July 2025, cybersecurity firm Dark Reading identified a new phishing campaign targeting Indian government departments through vulnerabilities in IoT-associated systems
cybersecuritynews.com
darkreading.com
+1
cybersecuritynews.com
+1
. This threat, attributed to a group known as TAG‑140, employs malicious .hta scripts delivered via phishing emails. These scripts initiate the launch of a .NET loader called BroaderAspect, which then establishes persistence and deploys a remote access Trojan (DRAT V2)
darkreading.com
.
How the Attack Works:
Email Delivery & Social Engineering: Victims receive emails with links or attachments—apparently harmless but designed to entice users into enabling content execution.
Launch via mshta.exe: When the victim opens the file, the Windows component mshta.exe executes the hidden “.hta” script.
BroaderAspect Loader: This loader delivers payloads to connect back to the attacker’s infrastructure.
DRAT V2 Deployment: Grants ongoing remote control and persistence on infected endpoints.
Why It Matters:
IoT devices on networks—such as smart displays, HVAC controllers, IP cameras—often run embedded Windows (e.g., Windows IoT). These less-secured endpoints offer fertile ground for attackers.
Government systems: With IoT adoption in critical infrastructure (water treatment, traffic systems, security cameras), a compromised IoT device can act as a pivot point into broader networks.
Stealth & persistence: Using common Windows components and stealthy deployment, the infection can go undetected for long periods.
Impact in India:
Indian government agencies are prime targets due to legacy systems and rapid IoT expansion.
Even without immediate data exfiltration, covert access enables future sabotage, espionage, or ransomware staging.
Despite advisories from CERT-In and NIC, IoT device security posture remains inconsistent across departments.
Mitigations & Best Practices:
Network segmentation: Separate IoT device networks from core government systems.
Restrict mshta.exe: Use policies like AppLocker or SRP (Software Restriction Policy) to block mshta.exe execution from non-standard locations.
Regular audit & firmware updates: Monitor and update IoT devices continuously—many run outdated firmware lacking basic security.
Employee awareness programs: Train users and admins to spot phishing, suspicious attachments, and unusual network behavior.
Implement EDR/IDS solutions: Deploy tools capable of detecting anomalous mshta or BroaderAspect behavior.
Conclusion:
TAG‑140’s latest campaign demonstrates the evolving threat landscape: leveraging built-in Windows components, IoT proximity, and scarcity of monitoring. As Smart City and e‑Governance initiatives grow in India, so does the exposure of IoT‑enabled infrastructure to such covert threats. Government and institutional cybersecurity teams must incorporate zero-trust principles, restrict device execution, and educate staff to mitigate these risks before malware escalates into espionage or critical service disruptions.
cybersecuritynews.com
darkreading.com
+1
cybersecuritynews.com
+1
. This threat, attributed to a group known as TAG‑140, employs malicious .hta scripts delivered via phishing emails. These scripts initiate the launch of a .NET loader called BroaderAspect, which then establishes persistence and deploys a remote access Trojan (DRAT V2)
darkreading.com
.
How the Attack Works:
Email Delivery & Social Engineering: Victims receive emails with links or attachments—apparently harmless but designed to entice users into enabling content execution.
Launch via mshta.exe: When the victim opens the file, the Windows component mshta.exe executes the hidden “.hta” script.
BroaderAspect Loader: This loader delivers payloads to connect back to the attacker’s infrastructure.
DRAT V2 Deployment: Grants ongoing remote control and persistence on infected endpoints.
Why It Matters:
IoT devices on networks—such as smart displays, HVAC controllers, IP cameras—often run embedded Windows (e.g., Windows IoT). These less-secured endpoints offer fertile ground for attackers.
Government systems: With IoT adoption in critical infrastructure (water treatment, traffic systems, security cameras), a compromised IoT device can act as a pivot point into broader networks.
Stealth & persistence: Using common Windows components and stealthy deployment, the infection can go undetected for long periods.
Impact in India:
Indian government agencies are prime targets due to legacy systems and rapid IoT expansion.
Even without immediate data exfiltration, covert access enables future sabotage, espionage, or ransomware staging.
Despite advisories from CERT-In and NIC, IoT device security posture remains inconsistent across departments.
Mitigations & Best Practices:
Network segmentation: Separate IoT device networks from core government systems.
Restrict mshta.exe: Use policies like AppLocker or SRP (Software Restriction Policy) to block mshta.exe execution from non-standard locations.
Regular audit & firmware updates: Monitor and update IoT devices continuously—many run outdated firmware lacking basic security.
Employee awareness programs: Train users and admins to spot phishing, suspicious attachments, and unusual network behavior.
Implement EDR/IDS solutions: Deploy tools capable of detecting anomalous mshta or BroaderAspect behavior.
Conclusion:
TAG‑140’s latest campaign demonstrates the evolving threat landscape: leveraging built-in Windows components, IoT proximity, and scarcity of monitoring. As Smart City and e‑Governance initiatives grow in India, so does the exposure of IoT‑enabled infrastructure to such covert threats. Government and institutional cybersecurity teams must incorporate zero-trust principles, restrict device execution, and educate staff to mitigate these risks before malware escalates into espionage or critical service disruptions.