A sophisticated phishing campaign is targeting Indian taxpayers, using fake income tax assessment notices to distribute remote access malware. Researchers at CYFIRMA discovered that attackers created a fraudulent website mimicking official communications from the Indian Income Tax Department. The fake portal presents a convincing assessment order complete with legal references, financial penalties, and urgent language designed to pressure recipients into acting quickly.
How the infection unfolds
Victims who interact with the fake notice are prompted to download a ZIP archive disguised as official assessment documentation. Once extracted, the archive reveals a disk image file acting as a container for the actual malicious payload. Inside sits a loader program that quietly triggers a second component, a DLL file disguised to resemble a legitimate Windows service. Researchers found that this loader uses reflection-based techniques specifically built to make automated detection and analysis considerably more difficult. Both files were obfuscated using a known protection tool, further complicating inspection by security teams.
Sponsored Protocol
The payload is a remote access trojan
Once active, the payload behaves like a Remote Access Trojan, granting attackers persistent, encrypted access to the infected machine. It can collect system details, monitor user activity, check which security software is installed, and silently load additional malicious components on command. Communication with the attacker's server happens over an encrypted channel, using a hardcoded address traced to infrastructure based in Hong Kong. These capabilities point toward a financially motivated operation rather than one focused on immediate damage, and they closely resemble traits associated with known commodity RAT families such as XWorm. However, researchers note that conclusive attribution to a specific threat actor remains unconfirmed at this stage.
Sponsored Protocol
Why this campaign matters
This is not an isolated phishing attempt but part of a broader pattern where attackers exploit tax season anxiety to bypass user caution. CYFIRMA's findings show the same loader-and-payload architecture has previously been linked to ransomware operators, suggesting this infrastructure may serve more than one type of attack depending on the victim. Up-to-date antivirus software with behavioral detection remains one practical defence against this staged, multi-component malware delivery. Security researchers recommend that individuals verify any tax-related correspondence directly through official government channels rather than clicking embedded links. Organizations are advised to restrict the execution of unknown files arriving through archives or disk images, since this campaign relies heavily on that delivery method. For a related example of how cybercriminals exploit anticipation, see the analysis on fake GTA VI beta codes. Additionally, consult authoritative sources like the Wikipedia page on phishing for more defense tips.
Sponsored Protocol
