- Fake tax notices are becoming delivery vehicles for sophisticated remote access malware
- Attackers hide malicious code behind convincing government branding and legal references
- The malware quietly establishes encrypted communication with servers outside the country
A new phishing campaign is using fake tax assessment notices to deliver dangerous malware to unsuspecting victims across India.
Researchers at CYFIRMA identified the operation, which relies on a fraudulent website built to look like official communications from the Indian Income Tax Department.
Hosted on a newly registered domain, the fake portal presents a compelling assessment order complete with legal references, financial penalties and urgent compliance language designed to pressure recipients to act quickly.
How the infection unfolds
Victims who interact with the fake message are asked to download a ZIP archive disguised as official assessment documentation and supporting calculations.
Once extracted, this archive reveals a disk image file that acts as a container for the actual malicious payload.
Inside sits a loader program that quietly triggers another component, a DLL disguised to look like a legitimate Windows service.
Researchers found that this loader uses reflection-based techniques specifically built to make automated detection and analysis significantly more difficult.
Both files were obfuscated using a known protection tool, further complicating security teams’ efforts to inspect the code.
When active, the payload behaves like a remote access Trojan, giving attackers persistent, encrypted access to the infected machine.
It can collect system details, monitor user activity, check what security software is installed, and silently load additional malicious components on command.
Communication with the attacker’s server is done over an encrypted channel, using a hardcoded address traced to infrastructure based in Hong Kong.
These characteristics point to a financially motivated operation rather than one focused on immediate damage or disruption, and are very similar to characteristics associated with known commodity RAT families such as XWorm.
However, researchers note that definitive attribution to a specific threat actor remains unconfirmed at this stage.
Why this campaign is important
This is not an isolated phishing attempt, but part of a broader pattern of attackers exploiting tax season anxiety to completely bypass user caution.
CYFIRMA’s findings show that the same loader-and-payload architecture has previously been associated with ransomware operators, suggesting that this infrastructure can serve more than one type of attack depending on the victim.
Up-to-date antivirus software with behavioral detection remains a practical defense against this kind of incremental, multi-component malware delivery.
Security researchers recommend that individuals confirm any tax-related correspondence directly through official government channels rather than clicking on embedded links.
Organizations are advised to limit the execution of unknown files arriving through archives or disk images, as this campaign is highly dependent on the exact delivery method to succeed.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
