EXECUTIVE SUMMARY:
A malware distribution campaign leveraging a fraudulent Indian Income Tax Department-themed lure to deliver a Remote Access Trojan (RAT)-like payload has been identified. The campaign utilizes a convincing fake tax assessment notification hosted on the domain , designed to impersonate legitimate government communication and trick victims into downloading a malicious archive containing staged malware components. The threat actors employ social engineering techniques by presenting a fake assessment order containing tax-related terminology, legal references, compliance requirements, and financial implications to create urgency and increase victim interaction.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A malware distribution campaign leveraging a fraudulent Indian Income Tax Department-themed lure to deliver a Remote Access Trojan (RAT)-like payload has been identified. The campaign utilizes a convincing fake tax assessment notification hosted on the domain , designed to impersonate legitimate government communication and trick victims into downloading a malicious archive containing staged malware components. The threat actors employ social engineering techniques by presenting a fake assessment order containing tax-related terminology, legal references, compliance requirements, and financial implications to create urgency and increase victim interaction.[emaillocker id="1283"]
The downloaded archive contains a malicious disk image file (a malicious file) that delivers a PE loader (a malicious executable) and associated payload (a malicious library). a malicious executable functions as a loader responsible for initiating execution of a malicious library reflection mechanisms. Both components were protected using ConfuserEx obfuscation, indicating an attempt to hinder static analysis and evade traditional security detection mechanisms.
The observed capabilities—including modular payload loading, encrypted communication, persistence mechanisms, and remote execution functionality—indicate that the campaign is designed to establish unauthorized access to and maintain control over compromised hosts. The activity highlights the continued abuse of trusted government and financial themes to distribute malware targeting users and organizations in India.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defence Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Discovery | T1082 | System Information Discovery | - |
| Collection | T1005 | Data from Local System | - |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Defense Evasion | B0029 | Polymorphic Code |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Defense Evasion | F0004 | Disable or Evade Security Tools |
| Command & Control | B0030 | C2 Communication |
| Impact | B0022 | Remote Access |
| Discovery | E1082 | System Information Discovery |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Discovery | E1083 | File and Directory Discovery |
REFERENCES:
The following reports contain further technical details:
https://www.cyfirma.com/research/an-income-tax-assessment-notice-phishing-campaign-delivering-malware/