A recent cyberattack has emerged, targeting individuals in India with fraudulent Income Tax Return (ITR) notices. This campaign employs a six-stage infection process to deploy two separate Remote Access Trojans (RATs) on victims’ systems, granting attackers extensive control and persistence.
The attack begins with emails that mimic official communications from the Indian Income Tax Department. These messages allege tax law violations and urge recipients to download documents to rectify the issue. Clicking the provided link redirects users to a counterfeit Microsoft verification page, which appears to perform security checks before initiating a download.
The downloaded file is a ZIP archive named ‘Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip.’ Within this archive are a legitimate, signed executable and a malicious DLL file named ‘nvdaHelperRemote.dll.’ This setup exploits the DLL search order in Windows, causing the legitimate executable to load the malicious DLL, thereby initiating the infection.
Once executed, the malware escalates privileges by prompting the user with a User Account Control (UAC) dialog. It then installs a persistence mechanism disguised as the ‘Windows Mixed Reality Service.’ Subsequently, the malware retrieves a file from its command-and-control server that appears to be a JPEG image but contains encrypted payloads appended to the image data. This technique allows the file to bypass basic security checks that only inspect file headers.
The final stages of the infection involve reflective loading, where the malware injects code directly into memory without writing to disk, making detection more challenging. Ultimately, two separate RATs are deployed, each connecting to its own command-and-control server. This redundancy ensures continued access even if one connection is disrupted.
This attack underscores the increasing sophistication of cyber threats targeting Indian users. By leveraging trusted government communications and advanced evasion techniques, attackers can effectively compromise systems and maintain prolonged access. Users should exercise caution with unsolicited emails, especially those prompting downloads or requesting sensitive information. Implementing robust security measures, such as endpoint detection and response solutions, can help mitigate the risks associated with such complex malware campaigns.