Suspected China-Nexus Hackers Use Fake Indian Tax Utility to Deploy DcRAT
What happened
Seqrite Labs reported a suspected China-nexus campaign targeting Indian taxpayers, tax professionals, and corporate finance teams with a fake income tax filing utility that deploys a remote access trojan. The campaign, tracked as Operation DragonReturn, was first observed on May 18, 2026, during India’s annual income tax filing season. The phishing emails impersonate India’s Income Tax Department and use tax violation or penalty lures to pressure victims into opening PDF attachments and clicking a malicious link.
The link leads to a fake tax portal that instructs users to download a ZIP archive posing as an offline utility for filing tax returns. Instead, the archive uses DLL side-loading to launch a malicious file, inject another payload into memory, and attempt to run with administrator privileges. The malware also checks for analysis or sandbox environments before downloading a JPG file that hides a secondary payload, which is later extracted and written as a DLL under the Windows Media Player directory.
The infection chain installs itself as Mixed Reality.exe and creates a Windows service named MixedSvc for persistence. That binary deploys two payloads: a .NET loader that disables Windows AMSI scanning and loads DcRAT, and a second component that can capture screenshots and exfiltrate data to a remote server. The campaign’s infrastructure included ChinaNet-linked IP addresses and a Chinese-language DcRAT command-and-control panel.
Seqrite said the activity shares infrastructure and tactical overlaps with Silver Fox, a Chinese cybercrime group previously linked to tax-themed phishing campaigns delivering ValleyRAT. The campaign is suspected to be China-aligned and aimed at covert access, credential theft, intelligence collection, and systematic data exfiltration.
Who is affected
Indian taxpayers, tax professionals, and corporate finance teams are directly affected, especially during tax filing season when income tax notices and filing utilities are more likely to appear legitimate.
Organizations in India are also exposed if finance, accounting, payroll, or compliance staff receive and interact with the fake tax notices on work devices.
Windows environments are particularly at risk because the attack chain relies on ZIP archives, DLL side-loading, privilege prompts, Windows service persistence, AMSI bypass, and remote access trojan deployment.
Why CISOs should care
This campaign shows how tax season can become a targeted intrusion window. Attackers are using timely government-themed lures, legal citations, bilingual content, and a fake tax filing utility to make the phishing flow look credible to Indian users.
For CISOs, the corporate finance targeting is especially important. Finance teams often have access to tax documents, bank details, payroll records, invoices, corporate filings, and sensitive internal communications.
The DLL side-loading and image-based payload concealment also make the campaign harder to catch with basic email filtering. The malicious behavior unfolds after the user downloads and runs what appears to be a legitimate filing tool.
The use of DcRAT gives attackers more than one-time data theft. Remote access can support continued surveillance, credential harvesting, lateral movement, and follow-on intrusion activity.
3 practical actions
Warn finance teams about fake tax filing utilities: The campaign impersonates India’s Income Tax Department and uses tax violation or penalty lures. CISOs should brief finance, tax, payroll, and compliance users before and during filing season.
Block suspicious archive and DLL side-loading behavior: The attack uses a ZIP archive, DLL side-loading, image-based payload concealment, and Windows service persistence. Security teams should monitor unusual DLL loads, new services such as MixedSvc, suspicious files staged in system-like directories, and unexpected UAC prompts from tax-related downloads.
Hunt for DcRAT and post-compromise activity: The malware disables AMSI scanning, captures screenshots, exfiltrates data, and communicates with command-and-control infrastructure. Defenders should review endpoint telemetry for AMSI tampering, suspicious .NET loaders, remote access behavior, screenshot capture, and unusual outbound connections.
Cybersecurity in the news:
PamStealer Mimics Maccy Clipboard Manager to Harvest macOS Data
IBM-Managed Environment Breach Exposes Singapore Land Authority Data
Avalon Malware Framework Packs CrownX Ransomware Capabilities
ClickFix Becomes Leading Malware Delivery Method as Attackers Expand to macOS
Flipper Zero Firmware Development Continues With Community Help


