Chinese Hackers Target Indian Taxpayers with Fake Tax Utility

A cyber espionage campaign, dubbed Operation DragonReturn, has been identified targeting Indian taxpayers, tax professionals, and corporate finance teams. This operation, attributed to a suspected China-linked threat group, aims to deploy a remote access trojan (RAT) to exfiltrate sensitive data from compromised systems.

The attack initiates with spear-phishing emails impersonating India’s Income Tax Department. These emails, first detected on May 18, 2026, coincide with the country’s annual tax filing season. They leverage tax violation and penalty themes to create urgency, prompting recipients to click on a malicious link embedded within attached PDF documents.

Upon clicking the link, victims are directed to a counterfeit website resembling the official tax department portal. This site instructs users to download a ZIP archive purportedly containing an offline tax filing utility. However, this archive conceals a malicious DLL file named “nvdaHelperRemote.dll.” When executed, this DLL initiates a multi-stage infection process designed to evade detection and establish persistent access to the victim’s system.

The malware performs several actions to ensure its success:

  • It checks for administrative privileges and, if absent, prompts the user to grant elevated permissions.
  • It conducts environment checks to avoid execution in analysis or sandboxed environments.
  • It downloads a JPG image from a hardcoded server, which contains an embedded secondary payload.
  • The extracted payload is saved as “nvdaHelperRemote.dll” in the Windows Media Player directory.
  • The malware copies itself as “Mixed Reality.exe” and establishes persistence by creating a Windows service named “MixedSvc,” configured to start automatically on system boot.

Once established, the malware deploys two distinct payloads:

  1. A .NET-based loader that performs anti-analysis checks, disables Windows Antimalware Scan Interface (AMSI) scanning, and decrypts and loads DCRat—a remote access trojan.
  2. A component capable of capturing screenshots and exfiltrating data to a remote server.

Analysis of the attack infrastructure reveals connections to IP addresses associated with ChinaNet and a command-and-control server displaying a Chinese-language web management panel. These indicators suggest the involvement of a China-aligned threat actor. Further, there are overlaps with tactics and infrastructure previously linked to Silver Fox, a Chinese cybercrime group known for tax-themed phishing campaigns deploying ValleyRAT malware.

This campaign underscores the evolving sophistication of cyber threats targeting India’s financial sector. The use of culturally and contextually relevant lures, combined with advanced evasion techniques, highlights the need for heightened vigilance among individuals and organizations during critical periods like tax season. Implementing robust cybersecurity measures, conducting regular awareness training, and maintaining up-to-date systems are essential steps to mitigate such threats.