SideWinder APT Hackers Attacking Indian Entities by Masquerading as the Income Tax Department of India

   December 22, 2025  Posted in CyberSecurityNews

SideWinder APT Hackers Attacking Indian Entities by Masquerading as the Income Tax Department of India

The campaign is run by the SideWinder advanced persistent threat group and aims to plant a silent Windows backdoor on victim machines.

Once active, the malware can steal files, capture data and give remote control to the attacker.

Each attack starts with a tax-themed email that urges the victim to review an inspection document.

The message includes a surl.li link that leads to a fake tax portal at gfmqvip.vip, which copies the look of the real Income Tax site.

Phishing Email Impersonating the Income Tax Department of India (Source - Zscaler)
Phishing Email Impersonating the Income Tax Department of India (Source – Zscaler)

The portal then pushes an Inspection.zip file that is stored on store10.gofile.io.

Zscaler analysts identified this chain while hunting for odd surl.li traffic inside large Indian networks.

google

They saw users move from the short link to the fake tax page, download Inspection.zip and then connect out to known SideWinder servers.

Their work shows how a simple looking tax email can lead to long term access inside sensitive Indian systems. The downloaded Inspection.zip archive holds three key files and marks the start of the complete technical breakdown.

It contains a signed Microsoft Defender binary renamed as Inspection Document Review.exe but in fact SenseCE.exe, a malicious MpGear.dll library, and a decoy certificate file DMRootCA.crt.

Income Tax Department of India Phishing Page (Source - Zscaler)
Income Tax Department of India Phishing Page (Source – Zscaler)

When the user runs the “review” program, Windows loads MpGear.dll from the same folder, a DLL side‑loading trick that lets attacker code run inside a trusted process.

Checks

Before contacting the command server, MpGear.dll checks that the host is a real target and not a sandbox.

Victim Timezone Checks for Advanced Geofencing (Source - Zscaler)
Victim Timezone Checks for Advanced Geofencing (Source – Zscaler)

It calls timeapi.io and worldtimeapi.org to read the time zone and only continues if the value matches South Asia zones such as UTC+5:30.

A typical config file can look like this:-

C2=180.178.56.230

It also sleeps for about three and a half minutes to evade quick scans and looks at running processes before loading the next stage from the internet.

In the final stage, MpGear.dll reaches out to 8.217.152.225 to fetch a small loader called 1bin, drops a resident agent mysetup.exe in the C: folder, and writes a control file like YTSysConfig.ini that stores the command server 180.178.56.230 and other flags.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link