Fake Indian Tax Utility Used in Campaign to Push DcRAT, Researchers Say

Security researchers say a suspected China-linked threat group has been targeting Indian taxpayers, tax advisors, and finance staff with phishing emails that lead to a malicious remote access trojan k...

Security researchers say a suspected China-linked threat group has been targeting Indian taxpayers, tax advisors, and finance staff with phishing emails that lead to a malicious remote access trojan known as DcRAT.

The campaign, tracked by Seqrite Labs as Operation DragonReturn, was first seen in mid-May 2026 and appears timed to coincide with India’s annual income tax filing season. According to the researchers, the operation is carefully built rather than broadly sprayed, using realistic tax-related wording, bilingual content, and references to official procedures to make the messages appear legitimate.

How the attack works

The intrusion chain begins with emails that imitate the Indian Income Tax Department and warn of supposed violations or penalties. Recipients are urged to open a PDF attachment that contains a link to a fake government domain. That site then directs users to download a ZIP file posing as an offline tax-filing utility.

Inside the archive, the file structure is designed to abuse DLL sideloading. A malicious library is loaded, which then injects additional code into memory. The malware checks whether it has administrative rights and may trigger a Windows User Account Control prompt if elevated access is needed.

From there, the malware performs anti-analysis checks, retrieves a JPG file from an external server, and extracts a secondary payload hidden inside the image. That payload is copied into a Windows Media Player directory and then duplicated again as Mixed Reality.exe. The malware also creates a Windows service to ensure it starts automatically after reboot.

Seqrite said one component acts as a loader that disables Windows AMSI scanning, maintains persistence, and decrypts DcRAT on the infected machine. Another module is able to capture screenshots and send stolen data to a remote server.

Researchers did not name a definitive operator, but they noted technical indicators tied to China-based infrastructure and a Chinese-language management panel connected to the command-and-control server. Seqrite also said the campaign overlaps with tactics previously associated with Silver Fox, a group linked to tax-themed phishing and ValleyRAT deployments.

  • Primary targets: Indian taxpayers, finance teams, and tax professionals
  • Delivery method: phishing emails, malicious PDF links, and ZIP downloads
  • Payload: DcRAT, plus loader and persistence components
  • Likely objective: credential theft, data exfiltration, and long-term access

The disclosure follows separate reports from LevelBlue, Cybereason, and others describing related RAT campaigns using fake installers and phishing lures to spread ValleyRAT and other malware families across Asian-language user groups.