A newly identified cyberattack campaign is actively exploiting trust in India’s tax system to infect computers with advanced malware designed for long-term surveillance and data theft. The operation relies on carefully crafted phishing emails that impersonate official tax communications and has been assessed as potentially espionage-driven, though no specific hacking group has been confirmed.
The attack begins with emails that appear to originate from the Income Tax Department of India. These messages typically warn recipients about penalties, compliance issues, or document verification, creating urgency and fear. Victims are instructed to open an attached compressed file, believing it to be an official notice.
Once opened, the attachment initiates a hidden infection process. Although the archive contains several components, only one file is visible to the user. This file is disguised as a legitimate inspection or review document. When executed, it quietly loads a concealed malicious system file that operates without the user’s awareness.
This hidden component performs checks to ensure it is not being examined by security analysts and then connects to an external server to download additional malicious code. The next stage exploits a Windows system mechanism to gain administrative privileges without triggering standard security prompts, allowing the attackers deeper control over the system.
To further avoid detection, the malware alters how it identifies itself within the operating system, making it appear as a normal Windows process. This camouflage helps it blend into everyday system activity.
The attackers then deploy another installer that adapts its behavior based on the victim’s security setup. If a widely used antivirus program is detected, the malware does not shut it down. Instead, it simulates user actions, such as mouse movements, to quietly instruct the antivirus to ignore specific malicious files. This allows the attack to proceed while the security software remains active, reducing suspicion.
At the core of the operation is a modified banking-focused malware strain known for targeting organizations across multiple countries. Alongside it, attackers install a legitimate enterprise management tool originally designed for system administration. In this campaign, the software is misused to remotely control infected machines, monitor user behavior, and manage stolen data centrally.
Supporting files are also deployed to strengthen control. These include automated scripts that change folder permissions, adjust user access rights, clean traces of activity, and enable detailed logging. A coordinating program manages these functions to ensure the attackers maintain persistent access.
Researchers note that the campaign combines deception, privilege escalation, stealth execution, and abuse of trusted software, reflecting a high level of technical sophistication and clear intent to maintain prolonged visibility into compromised systems.
