Cybercriminals Impersonate India’s Income Tax Department in Sophisticated Phishing Campaign
In November 2025, a highly sophisticated phishing campaign emerged, targeting Indian companies by masquerading as the Income Tax Department of India. This operation utilized authentic-looking government communication templates, bilingual messaging in Hindi and English, and references to specific sections of the Income Tax Act to enhance credibility and urgency.
The fraudulent emails alerted recipients to alleged tax discrepancies, demanding the submission of documents within 72 hours. This tactic leveraged psychological pressure to compel users to open malicious attachments.
Infection Mechanism:
The attack employed a two-stage malware delivery system:
1. Initial Delivery: Phishing emails were sent from legitimate QQ.com email accounts, which passed SPF, DKIM, and DMARC authentication checks, allowing them to bypass traditional email security filters. The emails contained password-protected ZIP files, preventing antivirus engines from scanning their contents during transit.
2. Payload Execution: Upon extraction using the provided passwords, the ZIP files revealed executable files named NeededDocuments. These executables contained shellcode designed to execute through regsvr32 proxy loading, a fileless execution technique that loads a hidden DLL directly into memory without writing detectable signatures to the disk.
The shellcode established persistence mechanisms, harvested stored credentials from the victim’s system, and opened communication channels to remote command servers associated with AsyncRAT infrastructure. Some variants used Google Docs as a trusted hosting platform for the second stage, exploiting the inherent trust placed in legitimate cloud services by corporate security filters.
Targeted Sectors:
The campaign specifically targeted securities firms, financial companies, and non-banking financial corporations that regularly exchange regulatory documents with government agencies.
Detection and Prevention:
Raven security analysts identified the zero-day phishing campaign by recognizing multiple layers of inconsistency within the attack structure, ultimately preventing widespread infection across targeted organizations.
