Listen to this Post
A New Cyber Threat Exploiting Tax Compliance Anxiety
As India’s Income Tax Return (ITR) season intensifies, cybercriminals are capitalizing on the pressure and urgency faced by individuals and enterprises. Security researchers have uncovered a coordinated phishing campaign that impersonates official communications from the Income Tax Department (ITD), using fake compliance notices as bait. What appears to be a routine tax review email quickly escalates into a sophisticated, multi-stage malware attack capable of delivering Remote Access Trojans (RATs) and information-stealing tools. The campaign highlights how seasonal administrative processes are increasingly weaponized to breach corporate environments and quietly exfiltrate sensitive data.
Overview of the Malicious Campaign
The attack wave revolves around fraudulent emails titled as “Tax Compliance Review Notice,” crafted to resemble legitimate ITD correspondence. These emails serve as the first step in a carefully engineered infection chain, specifically targeting Indian enterprises during the busy tax filing period.
Rather than relying on crude phishing methods, the attackers employ visual authenticity, technical deception, and multi-layered payload delivery to maintain long-term access to compromised systems. The result is not a simple scam, but a persistent remote-access intrusion.
How the Fraudulent Emails Appear Legitimate
The phishing emails are designed with high visual fidelity. They feature the Government of India emblem, official-looking headers, fabricated Document Identification Numbers (DINs), and strict deadlines to pressure recipients into acting quickly.
Interestingly, the email body contains no text at all. Instead, it uses a single embedded image that mimics a genuine tax notice. This tactic helps the email evade traditional spam filters that scan text-based content.
Another red flag is the sender’s address. Many of these emails originate from Outlook.com domains, which is unusual since Indian government departments rarely rely on public webmail services for official correspondence.
The Malicious Attachment and Fake Tax Portal
Attached to the email is a file named “Review Annexure.pdf.” While it appears harmless, the PDF contains a malicious URL pointing to a fake “Income Tax Compliance Portal” hosted at hxxps://www.akjys.top/
.
Clicking the link does not lead to any legitimate login interface. Instead, the site immediately triggers the download of a compressed archive titled “Review Annexure.zip,” without requiring further user interaction.
To deepen the deception, the fake portal displays instructions asking users to disable their antivirus software, claiming compatibility issues. This social engineering tactic is frequently used to weaken endpoint defenses before executing malicious payloads.
First Stage: The Malicious Installer
Once the ZIP archive is extracted, victims encounter an executable file named “setup_Ir5swQ3EpeuBpePEpew=.exe.” This file is packaged using the Nullsoft Scriptable Install System (NSIS) and is digitally signed by a Chinese entity, Hengshui Shenwei Technology Co., Ltd.
The installer runs silently, dropping additional files onto the system and launching a secondary executable with the same name. This second-stage file is signed by another Chinese company, Shandong Anzai Information Technology Co., Ltd., lending an illusion of legitimacy to the process.
Second Stage: RAT Deployment Disguised as Legitimate Software
The second installer masquerades as a Chinese-language application. Behind the scenes, it deploys multiple binaries, DLLs, and drivers into the directory:
C:Program FilesCommon FilesNSEC
When assembled, these components form a fully functional Remote Access Trojan rather than a legitimate software package. The RAT grants attackers deep visibility into the infected system and the ability to control it remotely.
Establishing Persistence on Infected Systems
To ensure long-term access, the malware creates a Windows service named “Windows Real-time Protection Service.” This service automatically executes a component called NSecRTS.exe at system startup.
By mimicking the naming conventions of legitimate security services, the malware reduces the likelihood of detection by users and system administrators. Persistence ensures that even after a reboot, the attacker retains access.
Command-and-Control Communication
Once active, the malware begins collecting system and application data. It communicates with multiple command-and-control (C2) servers using non-standard ports to evade network monitoring tools.
Observed C2 servers include:
154.91.84.3
45.113.192.102
103.235.46.102
The malware communicates over ports such as 48991 and 48992, which are rarely inspected in standard enterprise firewall configurations.
Indicators of a China-Linked Development Environment
Analysis of the malware reveals multiple indicators pointing toward a China-linked development environment. These include Chinese-language artifacts, compile-time metadata, and the use of digital certificates associated with Chinese technology firms.
While attribution remains complex, the consistency of these indicators suggests the tooling and infrastructure were developed within a Chinese ecosystem.
Why Tax-Themed Attacks Are So Effective
Tax compliance is a high-stress process, particularly for enterprises facing regulatory scrutiny and tight deadlines. Attackers exploit this pressure by crafting messages that demand immediate action, reducing the likelihood that recipients will carefully inspect email origins or attachments.
This campaign demonstrates how familiar administrative themes can be transformed into highly effective entry points for advanced cyber intrusions.
What Undercode Say:
Seasonal Events Are Becoming Prime Attack Windows
Tax season, audit periods, and regulatory deadlines now represent predictable attack windows for cybercriminals. Threat actors carefully time their campaigns to coincide with moments when vigilance is naturally lower due to workload pressure.
Visual Authenticity Is Replacing Technical Sophistication in Phishing
Rather than relying solely on malicious links, attackers are investing heavily in visual realism. Embedded images, government emblems, and realistic formatting are proving more effective than poorly written emails filled with suspicious links.
Digitally Signed Malware Is a Growing Challenge
The use of legitimate-looking digital signatures significantly reduces suspicion. Many users and even security tools still associate signed binaries with trust, making this tactic particularly dangerous.
RATs Signal Long-Term Espionage, Not Quick Profit
The deployment of a full-featured Remote Access Trojan suggests objectives beyond quick financial fraud. Persistent access enables data theft, corporate espionage, lateral movement, and potential future attacks.
Antivirus Evasion Through Social Engineering
Instructing victims to disable antivirus software is a simple yet effective technique. When combined with urgency and authority, many users comply without questioning the request.
Indian Enterprises Remain High-Value Targets
With vast amounts of financial and personal data, Indian enterprises are increasingly attractive targets. Campaigns like this highlight a shift from mass phishing to more targeted, enterprise-focused operations.
Network-Level Detection Is Critical
Non-standard ports and multiple C2 servers indicate an attempt to bypass endpoint-only defenses. Organizations relying solely on antivirus solutions may miss early indicators of compromise.
Awareness Training Must Match Modern Threats
Traditional phishing awareness focused on spelling errors and suspicious links is no longer sufficient. Employees must be trained to question visual authenticity and contextual urgency.
Fact Checker Results
Campaign Uses Realistic ITD Branding
✅ Confirmed use of Government of India emblems and fake DIN numbers.
Malware Delivers Persistent Remote Access
✅ Evidence supports full RAT functionality and service-based persistence.
China-Linked Indicators Are Present
❌ Attribution remains circumstantial, based on artifacts and certificates.
Prediction
🔮 Tax-themed cyberattacks will continue to grow as threat actors refine timing-based social engineering.
🔮 Digitally signed malware will become more common, challenging trust-based security models.
🔮 Enterprises will face increased pressure to detect phishing beyond surface-level indicators.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
