A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts.

The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India. It was first observed on May 18, 2026. The activity, per the cybersecurity company, coincides with the annual income tax filing season in the country.

“It is not opportunistic – the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem,” security researchers Dixit Panchal and Soumen Burma said.

The end goal of the campaign is assessed to be the deployment of malware for financial gain or sensitive data theft.

The attack chains begin with phishing messages masquerading as India’s income tax department, using tax violations and penalty lures to induce a false sense of urgency and trick users into clicking on a malicious link (“govtop[.]one/incometax”) embedded within PDF attachments.

The bogus landing page, for its part, instructs users to download a ZIP archive containing what appears to be a common offline utility provided by the department to file tax returns, but, in reality, is engineered to sideload a malicious DLL (“nvdaHelperRemote.dll”), which, in turn, injects another payload into memory.

This payload ensures it’s running with administrative privileges, and if not, triggers a User Account Control (UAC) prompt to get the user to run it with elevated permissions. Once launched, it performs checks to avoid executing within analysis and sandboxed environments, and then retrieves a JPG image (“lllyd.jpg”) from a hard-coded server (“204.194.48[.]250”) and stores it as “C:\Windows\background.jpg.”

“This image file is used as a container for a secondary payload, from which a 504 KB DLL is extracted and written to ‘C:\Program Files\Windows Media Player\nvdaHelperRemote.dll,'” Seqrite Labs explained. “After extracting the payload, the malware copies itself as ‘Mixed Reality.exe’ and establishes persistence by creating a Windows service named MixedSvc, configured to start automatically on system boot.”

“This behaviour confirms that the sample functions as a downloader and installer, using image-based payload concealment and Windows service persistence to maintain long-term access to the infected system.”

The “Mixed Reality.exe” binary is responsible for deploying two different payloads, one of which is a .NET malware loader that carries out anti-analysis checks, establishes persistence, disables Windows AMSI scanning, and decrypts and loads DCRat on the infected machine. The second payload features capabilities to take screenshots and exfiltrate data to a remote server…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 6, 2026