A recent cyberattack has been identified targeting Indian taxpayers and financial professionals, orchestrated by a suspected China-aligned threat group. The attackers aim to deploy a remote access trojan (RAT) to steal sensitive information from compromised systems.
Phishing Tactics and Campaign Details
Named Operation DragonReturn, this multi-stage attack, which began on May 18, 2026, leverages spear-phishing techniques. The perpetrators impersonate the Indian Income Tax Department, particularly during the tax filing season, to trick recipients into downloading malicious software.
Security experts Dixit Panchal and Soumen Burma highlighted the sophistication of the attacks, noting the use of authentic legal references and bilingual content to enhance credibility. The campaign is described as a focused and well-resourced operation targeting the Indian tax ecosystem.
Malware Deployment and Technical Analysis
The attack chain initiates with fraudulent emails containing a PDF attachment, urging recipients to rectify supposed tax violations by clicking on a deceptive link. Victims are then directed to a fake landing page that prompts the download of a ZIP file, which masquerades as a legitimate tax filing utility.
Upon execution, this utility sideloads malicious DLL files to infiltrate the system. These files execute further payloads designed to bypass security measures and establish persistent access, thereby enabling long-term data theft.
Link to Chinese Cybercrime and Future Implications
Seqrite Labs identified connections between this campaign and known Chinese cybercriminal groups, particularly through the use of Chinese infrastructure and language in the command-and-control servers. Similarities with previous tax-themed phishing campaigns suggest a coordinated effort by China-aligned threat actors.
In light of these findings, the cybersecurity community remains vigilant, urging organizations and individuals to enhance protective measures against such sophisticated cyber threats. The ongoing analysis aims to uncover further details about the actors and mitigate future risks.
Separately, LevelBlue has reported additional campaigns targeting Chinese and Japanese users, utilizing fake installers and phishing tactics to disseminate ValleyRAT, indicating a broader, region-specific cyber offensive.
