Close Menu
    What's Hot

    Republican Leaders Say They’ve Spoken With Mitch McConnell Since Hospitalization

    The Symbols We Saw at Khamenei’s Funeral

    I.O.C. Lifts Russia’s Olympic Suspension, Clearing the Way for 2028

    Facebook X (Twitter) Instagram
    Trending
    • Republican Leaders Say They’ve Spoken With Mitch McConnell Since Hospitalization
    • The Symbols We Saw at Khamenei’s Funeral
    • I.O.C. Lifts Russia’s Olympic Suspension, Clearing the Way for 2028
    • Taiwanese Polls Show Trust in Japan Defense Pledges
    • Discord admits AI moderation bug wrongfully banned users over harmless images
    • Ares Capital: The Market Is Wrong Here (Rating Upgrade) (NASDAQ:ARCC)
    • Argentina 3 – 2 Egypt
    • RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

    adminBy adminJuly 6, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

    A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts.

    The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India. It was first observed on May 18, 2026. The activity, per the cybersecurity company, coincides with the annual income tax filing season in the country.

    “It is not opportunistic – the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem,” security researchers Dixit Panchal and Soumen Burma said.

    The end goal of the campaign is assessed to be the deployment of malware for financial gain or sensitive data theft.

    The attack chains begin with phishing messages masquerading as India’s income tax department, using tax violations and penalty lures to induce a false sense of urgency and trick users into clicking on a malicious link (“govtop[.]one/incometax”) embedded within PDF attachments.

    Cybersecurity

    The bogus landing page, for its part, instructs users to download a ZIP archive containing what appears to be a common offline utility provided by the department to file tax returns, but, in reality, is engineered to sideload a malicious DLL (“nvdaHelperRemote.dll”), which, in turn, injects another payload into memory.

    This payload ensures it’s running with administrative privileges, and if not, triggers a User Account Control (UAC) prompt to get the user to run it with elevated permissions. Once launched, it performs checks to avoid executing within analysis and sandboxed environments, and then retrieves a JPG image (“lllyd.jpg”) from a hard-coded server (“204.194.48[.]250”) and stores it as “C:\Windows\background.jpg.”

    “This image file is used as a container for a secondary payload, from which a 504 KB DLL is extracted and written to ‘C:\Program Files\Windows Media Player\nvdaHelperRemote.dll,'” Seqrite Labs explained. “After extracting the payload, the malware copies itself as ‘Mixed Reality.exe’ and establishes persistence by creating a Windows service named MixedSvc, configured to start automatically on system boot.”

    “This behaviour confirms that the sample functions as a downloader and installer, using image-based payload concealment and Windows service persistence to maintain long-term access to the infected system.”

    The “Mixed Reality.exe” binary is responsible for deploying two different payloads, one of which is a .NET malware loader that carries out anti-analysis checks, establishes persistence, disables Windows AMSI scanning, and decrypts and loads DCRat on the infected machine. The second payload features capabilities to take screenshots and exfiltrate data to a remote server (“kkxqbh[.]top”).

    Exactly who is behind the activity is unclear, but infrastructure analysis indicates the use of IP addresses belonging to ChinaNet, as well as a Chinese-language web management panel exposed by the DCRat command-and-control (C2) server (“223.26.63[.]40”). In addition, Seqrite said it identified infrastructure and tactical overlaps with Silver Fox, a Chinese cybercrime group previously attributed to tax-themed phishing campaigns that deliver ValleyRAT.

    Based on these similarities, it’s suspected that the campaign is the work of a China-aligned threat actor conducted with an aim to establish covert access for intelligence collection, credential theft, and systematic data exfiltration, Seqrite concluded.

    Cybersecurity

    The disclosure comes as LevelBlue said it detected two distinct campaigns that employ fake installers for LINE and phishing emails with salary adjustment lures to distribute ValleyRAT targeting Chinese- and Japanese-speaking users.

    The email-driven campaign begins with a malicious email containing a URL link that, when accessed by the recipient, triggers the download of a ZIP archive. The archive acts as a foundation for a DLL side-loading chain, with the DLL ultimately downloading and executing ValleyRAT, a remote access trojan that allows operators to seize control of an infected system.

    The fake installer attack chain, in contrast, employs bogus installers for popular software to deliver the malware using techniques like PoolParty Variant 7, while simultaneously focusing on anti-analysis and detection evasion, per Cybereason.

    Interestingly, the use of PoolParty Variant 7 to inject shellcode into “explorer.exe” has been previously observed in connection with a custom malware loader dubbed SADBRIDGE, which is designed to deploy a Golang-based reimplementation of Quasar RAT known as GOSAR. The intrusion set, which targeted Chinese-speaking regions with malicious installers for Telegram and Opera, was attributed by Elastic Security Labs to REF3864.

    “While we don’t have conclusive proof, these commonalities suggest they may have been created by the same threat actor,” Cybereason researcher Hajime Takai noted back in February 2026.

    ChinaNexus DcRAT deploy fake filing hackers Indian suspected tax utility
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleNancy Ward, the Cherokee Leader, Stokes Division Even 250 Years Later
    Next Article British GP: Martin Brundle on ‘immense’ Silverstone 2026, Charles Leclerc’s win and a Safety Car rule he’d change | F1 News
    admin
    • Website

    Related Posts

    RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

    July 7, 2026

    Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker

    July 7, 2026

    Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data

    July 7, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Republican Leaders Say They’ve Spoken With Mitch McConnell Since Hospitalization

    The Symbols We Saw at Khamenei’s Funeral

    I.O.C. Lifts Russia’s Olympic Suspension, Clearing the Way for 2028

    Taiwanese Polls Show Trust in Japan Defense Pledges

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by