- Fake tax notices are becoming delivery vehicles for sophisticated remote access malware
- Attackers hide malicious code behind convincing government branding and legal references
- The malware quietly establishes encrypted communication with servers outside the country
A new phishing campaign is using fake income tax assessment notices to deliver dangerous malware to unsuspecting victims across India.
Researchers at CYFIRMA identified the operation, which relies on a fraudulent website built to resemble official communication from the Indian Income Tax Department closely.
The fake portal, hosted on a recently registered domain, presents a convincing assessment order complete with legal references, financial penalties, and urgent compliance language designed to pressure recipients into acting quickly.
How the infection unfolds
Victims who interact with the fake notice are prompted to download a ZIP archive disguised as official assessment documentation and supporting calculations.
Once extracted, that archive reveals a disk image file functioning as a container for the actual malicious payload.
Inside sits a loader program that quietly triggers a second component, a DLL file disguised to resemble a legitimate Windows service.
Researchers found that this loader uses reflection-based techniques specifically built to make automated detection and analysis considerably more difficult.
Both files were obfuscated using a known protection tool, further complicating efforts by security teams to inspect the code.
Once active, the payload behaves like a Remote Access Trojan, granting attackers persistent, encrypted access to the infected machine.
It can collect system details, monitor user activity, check which security software is installed, and silently load additional malicious…
