Abuse of Indian Income Tax Themes to Execute Layered Attacks on Enterprises

Cybercriminals are exploiting India’s Income Tax Return (ITR) season to launch targeted phishing and malware campaigns that mimic official communications from the Income Tax Department (ITD).

Security researchers have uncovered a recent wave of fraudulent “Tax Compliance Review Notice” emails that serve as an entry point for multi-stage malware attacks targeting Indian enterprises.

These emails, though visually similar to legitimate government notices, form the foundation of a sophisticated infection chain designed to deliver Remote Access Trojans (RATs) and infostealers that maintain persistent control and exfiltrate data.

Fraudulent Tax Notices Deliver Malware

The campaign begins with spear-phishing emails crafted to appear genuine, complete with the Government of India emblem, official headers, fabricated DIN numbers, and strict compliance deadlines.

The email body contains no text; instead, it includes an embedded image that mimics a legitimate notice to bypass traditional spam filters.

The sender’s domain, often hosted on Outlook.com, immediately stands out as suspicious since official Indian agencies rarely use public webmail services for correspondence.

The email includes an attachment titled “Review Annexure.pdf,” which, upon inspection, contains a malicious URL leading to a fake “Income Tax Compliance Portal” hosted at hxxps://www.akjys.top/.

When victims click the link, the website does not show any legitimate login page. Instead, it automatically triggers the download of a file named “Review Annexure.zip.”

The fake portal even attempts to deceive users by instructing them to turn off their antivirus software, citing compatibility issues—a tactic attackers frequently use to evade detection and ensure successful payload execution.

Multi-Stage Infection and Persistent Remote Access

Once extracted, the ZIP file contains an NSIS installer named “setup_Ir5swQ3EpeuBpePEpew=.exe,” which is digitally signed by a Chinese company, Hengshui Shenwei Technology Co., Ltd.

This first-stage installer silently drops additional files and launches a secondary executable with the same name, signed by Shandong Anzai Information Technology Co., Ltd.

The second-stage installer, disguised as a Chinese application, deploys numerous binaries, DLLs, and drivers in the directory “C:Program FilesCommon FilesNSEC.” When combined, these components function as a full-featured RAT rather than a legitimate software package.

The malware achieves persistence by creating a Windows service named “Windows Real-time Protection Service,” which automatically executes a component called NSecRTS.exe.

The Seqrite service collects system and application data and communicates with multiple command-and-control servers, including 154.91.84.3, 45.113.192.102, and 103.235.46.102, using non-standard ports, such as 48991 and 48992.

The campaign’s code-signing, language artifacts, and compile-time details collectively indicate a China-linked development environment.

This operation demonstrates how familiar tax-related themes are being repurposed into highly coordinated phishing campaigns that can evolve from a simple compliance scam into a full-scale remote-access intrusion targeting Indian enterprises.

Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.

The post Abuse of Indian Income Tax Themes to Execute Layered Attacks on Enterprises appeared first on Cyber Security News.