Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Fake Indian Tax Notice Distributes Dual Malware via Complex Chain

Fake Indian Tax Notice Distributes Dual Malware via Complex Chain

Posted on July 8, 2026 By CWS

A recent cybersecurity threat has emerged involving fake Indian tax notices that deceive users into installing two different remote access trojans (RATs) on their systems. This malicious campaign masquerades as a legitimate communication from the Income Tax Department, coercing victims through fear of penalties into downloading harmful software.

Deceptive Tactics and Multi-Stage Execution

The attackers have crafted a six-stage infection process that culminates in the deployment of two RATs, functioning independently within the system memory. Each trojan is linked to its own command server, providing the attackers with redundancy in case one connection is terminated. This level of sophistication highlights the calculated planning behind the attack, setting it apart from standard phishing schemes.

Security experts first detected this operation when it targeted Indian users with government-themed bait. According to a report by Cyderes shared with Cyber Security News, the entire technical sequence was traced, from the initial fake notice to the final malicious payloads operating within legitimate system processes.

Authenticity in Deception

To enhance the credibility of their scam, the attackers used realistic government branding, referencing ministries like the Ministry of Finance and the Enforcement Division. This made the fake tax notice appear genuine. Upon clicking through, victims are led to a counterfeit Microsoft verification page before encountering any malware, an additional trust-building step that increases the campaign’s effectiveness against unsuspecting users.

The attack initiates on fraudulent websites mimicking the Indian Income Tax Department, each featuring an “/incometax” URL path and a fabricated compliance notice. The false message warns of a tax law violation, urging document submission within 72 hours to avoid penalties. Clicking “Download Documents” redirects users to a page designed as a “Microsoft Edge Secure Gateway,” performing fake security checks before downloading a ZIP file.

Technical Breakdown and Recommendations

The downloaded archive, named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip, contains a legitimate signed executable and a malicious DLL, nvdaHelperRemote.dll. The executable unwittingly loads the malicious DLL due to Windows DLL search order abuse, allowing the malware entry into the system.

Following this, the attack progresses through several stages involving privilege escalation and the establishment of a persistence service disguised as “Windows Mixed Reality Service.” The malware further retrieves a file masquerading as a JPEG image, which conceals encrypted payloads, bypassing casual inspection by exploiting polyglot file techniques.

In the final stages, the malware injects two payloads into svchost.exe processes in every active user session, ensuring persistence across user switches. The final implants include a Gh0st RAT derivative, capable of screen capture, and a .NET-based implant from the Quasar or AsyncRAT family, which manipulates the Antimalware Scan Interface prior to execution.

Conclusion and Security Measures

The use of separate communication channels for each RAT ensures that blocking one does not terminate the intrusion. Common detection artifacts, such as staged services and named global events, provide a quick path for response teams to identify and contain breaches. Recommended detection strategies involve monitoring for signed binaries loading unsigned DLLs, unusual service creations, AMSI tampering, and svchost.exe process injections from unanticipated sources.

Given the stealthy nature of this malware, which utilizes in-memory execution and signed binary exploitation, comprehensive defenses and proactive threat hunting are crucial. Relying solely on detection systems may not suffice to prevent escalation.

Cyber Security News Tags:cyber attack, cyber threat, Cybersecurity, dual malware, Indian tax notice, ITR notice, Malware, Phishing, RAT, security breach

Post navigation

Previous Post: AI Coding Tools Trigger Security Alerts in Endpoint Systems
Next Post: SCMBANKER Malware Targets Mexican Banks with ClickFix Tactics

Related Posts

Iran-Linked Botnet Unveiled Through Open Directory Leak Iran-Linked Botnet Unveiled Through Open Directory Leak Cyber Security News
Microsoft January 2026 Security Update Causes Credential Prompt Failures in Remote Desktop Connections Microsoft January 2026 Security Update Causes Credential Prompt Failures in Remote Desktop Connections Cyber Security News
RapperBot Botnet Attack Peaks 50,000+ Attacks Targeting Network Edge Devices RapperBot Botnet Attack Peaks 50,000+ Attacks Targeting Network Edge Devices Cyber Security News
Critical Flaw in MCP Toolbox Poses Security Risks Critical Flaw in MCP Toolbox Poses Security Risks Cyber Security News
Dark Web Job Market Evolved Dark Web Job Market Evolved Cyber Security News
Cyberattackers Penetrate Networks Using SonicWall SSLVPN Credentials Cyberattackers Penetrate Networks Using SonicWall SSLVPN Credentials Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • DuckDuckGo Introduces Built-In YouTube Ad Blocking
  • SCMBANKER Malware Targets Mexican Banks with ClickFix Tactics
  • Fake Indian Tax Notice Distributes Dual Malware via Complex Chain
  • AI Coding Tools Trigger Security Alerts in Endpoint Systems
  • OpenMatter Joins HOL for Secure AI Standards Development

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • DuckDuckGo Introduces Built-In YouTube Ad Blocking
  • SCMBANKER Malware Targets Mexican Banks with ClickFix Tactics
  • Fake Indian Tax Notice Distributes Dual Malware via Complex Chain
  • AI Coding Tools Trigger Security Alerts in Endpoint Systems
  • OpenMatter Joins HOL for Secure AI Standards Development

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark