Indian Taxpayers Targeted by Phishing Campaign
In a concerning development, a phishing campaign is targeting Indian taxpayers and businesses by masquerading as the Indian Income Tax Department. Cybercriminals have created convincing fake websites that closely mimic official government portals, utilizing urgent messaging to pressure users into downloading malware-infected files.
How the Scam Operates
The attack hinges on a fraudulent website labeled as the “Official Tax Notice – Income Tax Department, India.” Users who visit this site are greeted with what appears to be a legitimate government communication. They are urged to click a button labeled “DOWNLOAD ASSESSMENT ORDER & WORKINGS,” which instead delivers a harmful archive file to their computers.
On April 27, 2026, researchers from MalwareHunterTeam identified and flagged the malicious domain zyisykm[.]shop, drawing wider attention to the ongoing threat. Security researcher Szabolcs Schmidt further confirmed the malicious nature of the site by uploading samples to the MalwareBazaar repository, establishing that the site was actively distributing harmful content.
The Psychological Manipulation Behind the Attack
This phishing scheme exploits the natural anxiety surrounding tax compliance deadlines. Many individuals, particularly those lacking technical expertise, may perceive a government-branded notice as legitimate and authoritative. This psychological manipulation significantly increases the likelihood of victims downloading malicious files without hesitation.
Individuals and businesses in the financial and corporate sectors face elevated risks as these types of campaigns continue to proliferate. Similar attacks have been documented using fake tax emails to disseminate malware such as Blackmoon and XRed, highlighting a pattern of exploiting tax filing seasons.
Understanding the Infection Process
The attack begins when a victim receives a phishing email or visits a counterfeit website cloaked in official government branding. The site features fabricated details such as reference numbers and compliance deadlines to create a false sense of urgency. Victims are instructed to download a ZIP archive, which contains an executable NSIS-based silent dropper that installs multiple malicious components without raising suspicion.
These droppers can deploy Remote Access Trojans (RATs) and infostealers, capable of capturing sensitive data, logging keystrokes, and connecting to attacker-controlled servers. To ensure the malware’s execution, attackers include deceptive instructions to disable antivirus software, claiming it is necessary for using the “Income Tax Department client.”
Protecting Against Phishing Threats
Recipients of unexpected tax notices by email or those encountering unfamiliar websites claiming to represent the Income Tax Department should verify the source before taking any action. Always visit the official government portal at incometax.gov.in for authentic communications and never disable security software based on instructions from downloaded files.
Organizations should educate employees to identify phishing attempts and report suspicious emails to IT teams promptly. If a device is suspected to be compromised, disconnect it from the network and seek assistance from a cybersecurity professional immediately.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X. Set CSN as a preferred source in Google for instant updates.
