By rssfeeds-admin 
Threat actors have built convincing fake websites that look nearly identical to official government portals, using urgent language to pressure victims into downloading malware-laced files without hesitation.
The attack relies on a fraudulent website displaying the label “Official Tax Notice – Income Tax Department, India.” Unsuspecting users who land on this page are presented with what appears to be a legitimate government notice.
The site prompts visitors to click a button labeled “DOWNLOAD ASSESSMENT ORDER & WORKINGS,” which immediately delivers a malicious archive file to the victim’s computer instead of any real government document.
“Official Tax Notice – Income Tax Department, India”: https://zyisykm[.]shop/
pic.twitter.com/U57PycUwkN
— MalwareHunterTeam (@malwrhunterteam) April 27, 2026
MalwareHunterTeam researchers identified and flagged the malicious domain zyisykm[.]shop on April 27, 2026, bringing even wider attention to this active threat. The post gained significant traction, accumulating over 2,700 views within hours of publication.
Their findings were quickly corroborated when security researcher Szabolcs Schmidt (@smica83) uploaded the sample delivered by the site to the MalwareBazaar threat repository at bazaar.abuse.ch, confirming that the download button was actively serving malicious content to visitors.
The impact of this campaign is significant because it takes advantage of the natural anxiety taxpayers feel around compliance deadlines. Many recipients, especially those with limited technical knowledge, are likely to believe that a government-branded notice carries real authority.
This psychological pressure makes them far more likely to follow instructions and download files without question, which is exactly what attackers are counting on. Indian individuals and businesses working in financial and corporate sectors remain at heightened risk as this type of campaign continues to spread.
This threat does not exist in isolation. Similar campaigns observed as recently as early 2026 have used fake tax emails to distribute dangerous malware families such as Blackmoon banking malware and XRed remote access trojans.
The growing frequency of these attacks during India’s tax filing season shows that cybercriminals deliberately time their operations to exploit periods of financial stress and regulatory urgency.
How the Infection Chain Works
Understanding how this attack unfolds from start to finish helps explain why it remains so effective. The attack begins when a victim receives a phishing email or visits a spoofed website carrying official government branding, complete with fabricated reference numbers, compliance deadlines, and official-sounding language designed to create urgency.
The victim is then directed to click a download button, which immediately fetches a malicious ZIP archive onto their device.
Once the victim extracts the downloaded ZIP file, they find an executable inside. This file is often an NSIS-based silent dropper, a type of installer that quietly unpacks and installs multiple malicious components in the background while the victim notices nothing suspicious.
As seen in related campaigns analyzed by security researchers, these droppers have been known to install Remote Access Trojans (RATs) and infostealers capable of harvesting sensitive data, logging keystrokes, and connecting back to attacker-controlled command-and-control servers for further instructions.
To make the deception complete, attackers include fake instructions inside the malicious package asking users to disable their antivirus software before running the file, claiming it is required to use the “Income Tax Department client”.
This is a well-known social engineering trick that removes the last line of defense before the malware fully executes on the target system.
Users who receive unsolicited tax notices by email or encounter unfamiliar websites claiming to represent the Income Tax Department should verify the source before downloading anything.
Always make sure to visit only the official government portal at incometax.gov.in for authentic communications. Never disable antivirus or security software based on instructions found inside any downloaded file.
Organizations should train employees to recognize phishing attempts and report suspicious emails to their IT teams immediately. If you believe your device has been compromised, isolate it from the network and contact a qualified cybersecurity professional right away.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Using Fake Income Tax Department’s Notice to Deploy Malware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.