- Fake tax notices are becoming delivery vehicles for sophisticated remote access malware
- Attackers hide malicious code behind compelling government branding and legal references
- The malware silently establishes encrypted communication with servers outside the country.
A new phishing campaign uses fake income tax assessment notices to send dangerous malware to unsuspecting victims across India.
CYFIRMA researchers identified the operation, which is based on a fraudulent website created to closely resemble official communication from the Indian Income Tax Department.
The fake portal, hosted on a newly registered domain, presents a compelling assessment order complete with legal references, financial penalties, and urgent compliance language designed to pressure recipients to act quickly.
How the infection develops
Victims who interact with the fake notice are prompted to download a ZIP file disguised as official assessment documentation and supporting calculations.
Once extracted, that file reveals a disk image file that acts as a container for the actual malicious payload.
Inside is a loader program that silently activates a second component, a DLL file disguised to look like a legitimate Windows service.
Researchers discovered that this loader uses reflection-based techniques specifically designed to make automated detection and analysis significantly more difficult.
Both files were obfuscated using a known protection tool, further complicating security teams’ efforts to inspect the code.
Once active, the payload behaves like a remote access Trojan and grants attackers persistent, encrypted access to the infected machine.
It can collect system details, monitor user activity, check what security software is installed, and silently load additional malicious components when commanded.
Communication with the attacker’s server occurs over an encrypted channel, using an encrypted address traced to an infrastructure based in Hong Kong.
These capabilities point toward a financially motivated operation, rather than one focused on immediate damage or disruption, and closely resemble traits associated with RAT families known as XWorm.
However, the researchers note that conclusive attribution to a specific threat actor is not yet confirmed at this stage.
Why is this campaign important?
This is not an isolated phishing attempt, but part of a broader pattern of attackers taking advantage of the anxiety of tax season to completely bypass user caution.
CYFIRMA’s findings show that the same loader and payload architecture has previously been linked to ransomware operators, suggesting that this infrastructure may serve more than one type of attack depending on the victim.
Up-to-date antivirus software with behavioral detection remains a practical defense against this type of staged, multi-component malware distribution.
Security researchers recommend that people verify any tax-related correspondence directly through official government channels instead of clicking on embedded links.
Organizations are advised to restrict the execution of unknown files arriving via files or disk images, as this campaign relies heavily on that exact delivery method to be successful.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
