- Fake tax notices become delivery vehicles for sophisticated remote access malware
- Attackers hide malicious code behind convincing government branding and legal credentials.
- The malware discreetly establishes encrypted communication with servers located outside the country.
A new phishing campaign uses fake income tax notices to deliver dangerous malware to unsuspecting victims across India.
CYFIRMA researchers identified the operation, which relies on a fraudulent website designed to closely resemble official communications from India’s Income Tax Department.
The fake portal, hosted on a recently registered domain, presents a compelling assessment order, complete with legal credentials, financial penalties, and urgent compliance language designed to pressure recipients to act quickly.
How does the infection occur?
Victims who interact with the fake review are asked to download a ZIP archive disguised as an official review document and supporting calculations.
Once extracted, this archive reveals a disk image file functioning as a container for the actual malicious payload.
Inside is a loading program that silently triggers a second component, a DLL file disguised to look like a legitimate Windows service.
Researchers found that this charger uses reflection-based techniques specifically designed to make automated detection and analysis significantly more difficult.
Both files were obfuscated using a known protection tool, further complicating security teams’ efforts to inspect the code.
Once active, the payload behaves like a remote access Trojan, granting attackers persistent, encrypted access to the infected machine.
It can collect system details, monitor user activity, check what security software is installed, and silently load additional malicious components on command.
Communication with the attacker’s server takes place over an encrypted channel, using a hard-coded address connected to infrastructure based in Hong Kong.
These capabilities point to an operation motivated by financial reasons, rather than focused on immediate damage or disruption, and they closely resemble characteristics associated with known RAT families such as XWorm.
However, the researchers note that conclusive attribution to a specific threat actor is not yet confirmed at this point.
Why this campaign is important
This is not an isolated phishing attempt, but a broader phenomenon of attackers exploiting tax season anxiety to completely circumvent user caution.
CYFIRMA’s findings show that the same loading and payload architecture has previously been associated with ransomware operators, suggesting that this infrastructure may serve more than one type of attack depending on the victim.
Up-to-date antivirus software with behavioral detection remains a practical defense against this type of staged, multi-component malware delivery.
Security researchers recommend that individuals verify any tax correspondence directly through official government channels rather than clicking on embedded links.
Organizations are advised to restrict the execution of unknown files arriving via archives or disk images, as this campaign relies heavily on this precise delivery method for success.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
