Suspected China-linked hackers target Indian taxpayers with tax-themed malware campaign

by

A suspected China-nexus threat group targeted Indian taxpayers, tax professionals and corporate finance teams in a campaign first seen on May 18, 2026, using spear-phishing emails and a remote access trojan to steal sensitive data, according to a technical analysis by Seqrite Labs.

KEY FACTS

  • Campaign name Operation DragonReturn.
  • Targeting Indian taxpayers, tax professionals and finance teams.
  • Lure Emails impersonated the Income Tax Department and used penalty warnings.
  • Payload The attack chain delivered DCRat and a second payload for screenshots and data theft.

The activity lined up with India’s annual income tax filing season. The phishing emails pushed recipients to click a malicious link inside PDF attachments, which led to a fake landing page that prompted a ZIP download.

The archive was set up to sideload a malicious DLL and inject another payload into memory. The malware also checked for sandboxed or analysis environments, sought elevated privileges, and used a JPG file as a container for a secondary payload.

Seqrite said the malware then copied itself as Mixed Reality.exe and created a Windows service called MixedSvc for persistence. The binary deployed a .NET loader that disabled Windows AMSI scanning and decrypted DCRat, while a second payload handled screenshots and exfiltration to a remote server.

The report said infrastructure overlaps pointed to ChinaNet IP addresses and a Chinese-language web management panel exposed by a command-and-control server. It also noted tactical similarities with Silver Fox, a group previously tied to tax-themed phishing campaigns that delivered ValleyRAT.

WHY IT MATTERS

The campaign shows how tax season lures can be used to target people handling financial records and sensitive identity data. The use of multi-stage loaders, persistence and anti-analysis features can make detection and removal more difficult.