Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Fake Indian Tax Notice Distributes Dual Malware via Complex Chain

Fake Indian Tax Notice Distributes Dual Malware via Complex Chain

Posted on July 8, 2026 By CWS

A recent cybersecurity threat has emerged involving fake Indian tax notices that deceive users into installing two different remote access trojans (RATs) on their systems. This malicious campaign masquerades as a legitimate communication from the Income Tax Department, coercing victims through fear of penalties into downloading harmful software.

Deceptive Tactics and Multi-Stage Execution

The attackers have crafted a six-stage infection process that culminates in the deployment of two RATs, functioning independently within the system memory. Each trojan is linked to its own command server, providing the attackers with redundancy in case one connection is terminated. This level of sophistication highlights the calculated planning behind the attack, setting it apart from standard phishing schemes.

Security experts first detected this operation when it targeted Indian users with government-themed bait. According to a report by Cyderes shared with Cyber Security News, the entire technical sequence was traced, from the initial fake notice to the final malicious payloads operating within legitimate system processes.

Authenticity in Deception

To enhance the credibility of their scam, the attackers used realistic government branding, referencing ministries like the Ministry of Finance and the Enforcement Division. This made the fake tax notice appear genuine. Upon clicking through, victims are led to a counterfeit Microsoft verification page before encountering any malware, an additional trust-building step that increases the campaign’s effectiveness against unsuspecting users.

The attack initiates on fraudulent websites mimicking the Indian Income Tax Department, each featuring an “/incometax” URL path and a fabricated compliance notice. The false message warns of a tax law violation, urging document submission within 72 hours to avoid penalties. Clicking “Download Documents” redirects users to a page designed as a “Microsoft Edge Secure Gateway,” performing fake security checks before downloading a ZIP file.

Technical Breakdown and Recommendations

The downloaded archive, named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip, contains a legitimate signed executable and a malicious DLL, nvdaHelperRemote.dll. The executable unwittingly loads the malicious DLL due to Windows DLL search order abuse, allowing the malware entry into the system.

Following this, the attack progresses through several stages involving privilege escalation and the establishment of a persistence service disguised as “Windows Mixed Reality Service.” The malware further retrieves a file masquerading as a JPEG image, which conceals encrypted payloads, bypassing casual inspection by exploiting polyglot file techniques.

In the final stages, the malware injects two payloads into svchost.exe processes in every active user session, ensuring persistence across user switches. The final implants include a Gh0st RAT derivative, capable of screen capture, and a .NET-based implant from the Quasar or AsyncRAT family, which manipulates the Antimalware Scan Interface prior to execution.

Conclusion and Security Measures

The use of separate communication channels for each RAT ensures that blocking one does not terminate the intrusion. Common detection artifacts, such as staged services and named global events, provide a quick path for response teams to identify and contain breaches. Recommended detection strategies involve monitoring for signed binaries loading unsigned DLLs, unusual service creations, AMSI tampering, and svchost.exe process injections from unanticipated sources.

Given the stealthy nature of this malware, which utilizes in-memory execution and signed binary exploitation, comprehensive defenses and proactive threat hunting are crucial. Relying solely on detection systems may not suffice to prevent escalation.

Cyber Security News Tags:cyber attack, cyber threat, Cybersecurity, dual malware, Indian tax notice, ITR notice, Malware, Phishing, RAT, security breach

Post navigation

Previous Post: AI Coding Tools Trigger Security Alerts in Endpoint Systems

Related Posts

Multiple vtenext Vulnerabilities Let Attackers Bypass Authentication and Execute Remote Codes Multiple vtenext Vulnerabilities Let Attackers Bypass Authentication and Execute Remote Codes Cyber Security News
AWS Declares Major Outage Resolved After Nearly 24 Hours of Disruption AWS Declares Major Outage Resolved After Nearly 24 Hours of Disruption Cyber Security News
Fog Ransomware Actors Exploits Pentesting Tools to Exfiltrate Data and Deploy Ransomware Fog Ransomware Actors Exploits Pentesting Tools to Exfiltrate Data and Deploy Ransomware Cyber Security News
Mystery OAST With Exploit for 200 CVEs Leveraging Google Cloud to Launch Attacks Mystery OAST With Exploit for 200 CVEs Leveraging Google Cloud to Launch Attacks Cyber Security News
Hackers Target SolarWinds Vulnerability to Deploy Tools Hackers Target SolarWinds Vulnerability to Deploy Tools Cyber Security News
Chrome 143 Released With Fix for 13 Vulnerabilities that Enables Arbitrary Code Execution Chrome 143 Released With Fix for 13 Vulnerabilities that Enables Arbitrary Code Execution Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Fake Indian Tax Notice Distributes Dual Malware via Complex Chain
  • AI Coding Tools Trigger Security Alerts in Endpoint Systems
  • OpenMatter Joins HOL for Secure AI Standards Development
  • Accenture Concedes Data Breach Amid Hacker Allegations
  • HalluSquatting Attack Threatens AI Coding Assistants

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Fake Indian Tax Notice Distributes Dual Malware via Complex Chain
  • AI Coding Tools Trigger Security Alerts in Endpoint Systems
  • OpenMatter Joins HOL for Secure AI Standards Development
  • Accenture Concedes Data Breach Amid Hacker Allegations
  • HalluSquatting Attack Threatens AI Coding Assistants

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark