Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

The Hacker News by The Hacker News
July 6, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts.

The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India. It was first observed on May 18, 2026. The activity, per the cybersecurity company, coincides with the annual income tax filing season in the country.

“It is not opportunistic – the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem,” security researchers Dixit Panchal and Soumen Burma said.

The end goal of the campaign is assessed to be the deployment of malware for financial gain or sensitive data theft.

The attack chains begin with phishing messages masquerading as India’s income tax department, using tax violations and penalty lures to induce a false sense of urgency and trick users into clicking on a malicious link (“govtop[.]one/incometax”) embedded within PDF attachments.

The bogus landing page, for its part, instructs users to download a ZIP archive containing what appears to be a common offline utility provided by the department to file tax returns, but, in reality, is engineered to sideload a malicious DLL (“nvdaHelperRemote.dll”), which, in turn, injects another payload into memory.

This payload ensures it’s running with administrative privileges, and if not, triggers a User Account Control (UAC) prompt to get the user to run it with elevated permissions. Once launched, it performs checks to avoid executing within analysis and sandboxed environments, and then retrieves a JPG image (“lllyd.jpg”) from a hard-coded server (“204.194.48[.]250”) and stores it as “C:Windowsbackground.jpg.”

“This image file is used as a container for a secondary payload, from which a 504 KB DLL is extracted and written to ‘C:Program FilesWindows Media PlayernvdaHelperRemote.dll,'” Seqrite Labs explained. “After extracting the payload, the malware copies itself as ‘Mixed Reality.exe’ and establishes persistence by creating a Windows service named MixedSvc, configured to start automatically on system boot.”

“This behaviour confirms that the sample functions as a downloader and installer, using image-based payload concealment and Windows service persistence to maintain long-term access to the infected system.”

The “Mixed Reality.exe” binary is responsible for deploying two different payloads, one of which is a .NET malware loader that carries out anti-analysis checks, establishes persistence, disables Windows AMSI scanning, and decrypts and loads DCRat on the infected machine. The second payload features capabilities to take screenshots and exfiltrate data to a remote server (“kkxqbh[.]top”).

Exactly who is behind the activity is unclear, but infrastructure analysis indicates the use of IP addresses belonging to ChinaNet, as well as a Chinese-language web management panel exposed by the DCRat command-and-control (C2) server (“223.26.63[.]40”). In addition, Seqrite said it identified infrastructure and tactical overlaps with Silver Fox, a Chinese cybercrime group previously attributed to tax-themed phishing campaigns that deliver ValleyRAT.

Based on these similarities, it’s suspected that the campaign is the work of a China-aligned threat actor conducted with an aim to establish covert access for intelligence collection, credential theft, and systematic data exfiltration, Seqrite concluded.

The disclosure comes as LevelBlue said it detected two distinct campaigns that employ fake installers for LINE and phishing emails with salary adjustment lures to distribute ValleyRAT targeting Chinese- and Japanese-speaking users.

The email-driven campaign begins with a malicious email containing a URL link that, when accessed by the recipient, triggers the download of a ZIP archive. The archive acts as a foundation for a DLL side-loading chain, with the DLL ultimately downloading and executing ValleyRAT, a remote access trojan that allows operators to seize control of an infected system.

The fake installer attack chain, in contrast, employs bogus installers for popular software to deliver the malware using techniques like PoolParty Variant 7, while simultaneously focusing on anti-analysis and detection evasion, per Cybereason.

Interestingly, the use of PoolParty Variant 7 to inject shellcode into “explorer.exe” has been previously observed in connection with a custom malware loader dubbed SADBRIDGE, which is designed to deploy a Golang-based reimplementation of Quasar RAT known as GOSAR. The intrusion set, which targeted Chinese-speaking regions with malicious installers for Telegram and Opera, was attributed by Elastic Security Labs to REF3864.

“While we don’t have conclusive proof, these commonalities suggest they may have been created by the same threat actor,” Cybereason researcher Hajime Takai noted back in February 2026.



Source link

The Hacker News

The Hacker News

Next Post
Asda’s supply chain woes bring lessons for IT project planning | Computer Weekly

Asda’s supply chain woes bring lessons for IT project planning | Computer Weekly

Recommended.

ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances

ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances

June 10, 2026
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

May 15, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio