A recent cybersecurity threat has emerged involving fake Indian tax notices that deceive users into installing two different remote access trojans (RATs) on their systems. This malicious campaign masquerades as a legitimate communication from the Income Tax Department, coercing victims through fear of penalties into downloading harmful software.
Deceptive Tactics and Multi-Stage Execution
The attackers have crafted a six-stage infection process that culminates in the deployment of two RATs, functioning independently within the system memory. Each trojan is linked to its own command server, providing the attackers with redundancy in case one connection is terminated. This level of sophistication highlights the calculated planning behind the attack, setting it apart from standard phishing schemes.
Security experts first detected this operation when it targeted Indian users with government-themed bait. According to a report by Cyderes shared with Cyber Security News, the entire technical sequence was traced, from the initial fake notice to the final malicious payloads operating within legitimate system processes.
Authenticity in Deception
To enhance the credibility of their scam, the attackers used realistic government branding, referencing ministries like the Ministry of Finance and the Enforcement Division. This made the fake tax notice appear genuine. Upon clicking through, victims are led to a counterfeit Microsoft verification page before encountering any malware, an additional trust-building step that increases the campaign’s effectiveness against unsuspecting users.
The attack initiates on fraudulent websites mimicking the Indian Income Tax Department, each featuring an “/incometax” URL path and a fabricated compliance notice. The false message warns of a tax law violation, urging document submission within 72 hours to avoid penalties. Clicking “Download Documents” redirects users to a page designed as a “Microsoft Edge Secure Gateway,” performing fake security checks before downloading a ZIP file.
Technical Breakdown and Recommendations
The downloaded archive, named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip, contains a legitimate signed executable and a malicious DLL, nvdaHelperRemote.dll. The executable unwittingly loads the malicious DLL due to Windows DLL search order abuse, allowing the malware entry into the system.
Following this, the attack progresses through several stages involving privilege escalation and the establishment of a persistence service disguised as “Windows Mixed Reality Service.” The malware further retrieves a file masquerading as a JPEG image, which conceals encrypted payloads, bypassing casual inspection by exploiting polyglot file techniques.
In the final stages, the malware injects two payloads into svchost.exe processes in every active user session, ensuring persistence across user switches. The final implants include a Gh0st RAT derivative, capable of screen capture, and a .NET-based implant from the Quasar or AsyncRAT family, which manipulates the Antimalware Scan Interface prior to execution.
Conclusion and Security Measures
The use of separate communication channels for each RAT ensures that blocking one does not terminate the intrusion. Common detection artifacts, such as staged services and named global events, provide a quick path for response teams to identify and contain breaches. Recommended detection strategies involve monitoring for signed binaries loading unsigned DLLs, unusual service creations, AMSI tampering, and svchost.exe process injections from unanticipated sources.
Given the stealthy nature of this malware, which utilizes in-memory execution and signed binary exploitation, comprehensive defenses and proactive threat hunting are crucial. Relying solely on detection systems may not suffice to prevent escalation.
