Fake Indian Tax Utility Used To Spread DcRAT In Targeted Phishing Campaign

Published:

A suspected China linked threat group has been identified behind a targeted phishing campaign aimed at Indian taxpayers, tax professionals, and corporate finance teams by distributing a fake income tax filing utility that installs the DcRAT remote access trojan. The campaign, named Operation DragonReturn by Seqrite Labs, was first detected on May 18, 2026, and coincides with India’s annual income tax filing season. According to the researchers, the operation is highly targeted rather than opportunistic, using carefully prepared phishing emails that impersonate India’s Income Tax Department. The emails include authentic legal references, bilingual content, and continuously updated malicious payloads, indicating a well planned and sustained operation focused specifically on India’s taxpayer ecosystem. Researchers believe the campaign is intended to establish long term access to compromised systems for financial gain, credential theft, and the collection of sensitive information. The attackers rely on convincing social engineering techniques to pressure recipients into acting quickly by claiming tax violations or financial penalties that require immediate attention.

The attack begins with spear phishing emails containing PDF attachments that direct recipients to a fraudulent website posing as an official tax portal. Victims are instructed to download what appears to be an offline tax filing utility commonly used to submit income tax returns. Instead of a legitimate application, the downloaded ZIP archive contains files designed to trigger DLL side loading, allowing a malicious library named nvdaHelperRemote.dll to inject additional malware into system memory. The malware attempts to obtain administrator privileges through a User Account Control prompt if elevated permissions are not already available. Once active, it performs several anti analysis and sandbox detection checks before contacting a remote server to download a JPG image that secretly contains another malware payload. The image is saved on the compromised system before a hidden DLL is extracted and written into the Windows Media Player directory. Researchers explained that the malware then copies itself as Mixed Reality.exe and creates a Windows service called MixedSvc, ensuring the malicious program automatically starts whenever the system boots. This combination of concealed payload delivery and Windows service persistence enables attackers to maintain ongoing access to infected devices while reducing the likelihood of detection.

Seqrite Labs found that the Mixed Reality.exe component deploys two separate malicious payloads after installation. The first is a .NET based malware loader responsible for conducting additional anti analysis checks, maintaining persistence, disabling Windows Antimalware Scan Interface protection, and decrypting the DcRAT malware before executing it. The second payload focuses on capturing screenshots and transmitting stolen information to a remote command server controlled by the attackers. Although researchers have not definitively attributed the campaign to a specific threat group, multiple indicators point toward Chinese involvement. Infrastructure analysis identified command servers hosted on ChinaNet owned IP addresses, while investigators also discovered a Chinese language administration panel associated with the DcRAT command and control infrastructure. Researchers additionally identified tactical and infrastructure similarities with Silver Fox, a cybercrime group previously linked to tax themed phishing operations that distributed ValleyRAT malware. Based on these overlaps, Seqrite Labs believes the campaign is likely conducted by a China aligned threat actor seeking persistent access for intelligence gathering, credential theft, and systematic data collection from targeted organizations and individuals.

The findings were released alongside reports from LevelBlue and Cybereason describing separate malware campaigns that also rely on deceptive software installers and phishing emails to distribute ValleyRAT malware. One campaign targets Chinese and Japanese speaking users through phishing emails carrying salary adjustment themes that ultimately trigger a DLL side loading attack to install ValleyRAT. Another campaign distributes fake installers for popular applications such as LINE while using advanced techniques, including PoolParty Variant 7, to inject malicious shellcode into trusted Windows processes. Researchers noted that this technique has previously been associated with the SADBRIDGE malware loader, which deploys a Golang based implementation of Quasar RAT known as GOSAR. Earlier investigations by Elastic Security Labs connected those attacks with a threat cluster identified as REF3864, which targeted Chinese speaking users through fraudulent installers for Telegram and Opera. While researchers have not confirmed a direct connection between these separate campaigns, they observed multiple technical similarities that suggest some of the malware development methods and attack techniques may originate from the same or closely related threat actors.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Related articles

spot_img