Cybercriminals have increasingly weaponized the Income Tax Return (ITR) filing season to orchestrate sophisticated phishing campaigns targeting Indian businesses.
By exploiting public anxiety surrounding tax compliance and refund timelines, attackers have crafted high-fidelity lures that mimic official government communications.
The latest wave of these attacks involves a meticulously designed infection chain that begins with a spear-phishing email and culminates in the deployment of persistent malware capable of full system compromise.
The initial attack vector arrives as an email subject tagged “Tax Compliance Review Notice,” purportedly from the Income Tax Department.
%20(Source%20-%20Seqrite).webp "Indian Income Tax-Themed Attacking Businesses with a Multi-Stage Infection Chain 2")
A closer inspection reveals that the sender uses a suspicious Outlook[.]com address rather than an official government domain.
Notably, the email body contains no actual text; instead, it features a single embedded image indistinguishable from a genuine notice, effectively bypassing standard text-based spam filters.
This creates a false sense of urgency by referencing fabricated deadlines and compliance failures.
.webp "Indian Income Tax-Themed Attacking Businesses with a Multi-Stage Infection Chain 4")
Recipients are directed to open an attachment named “Review Annexure.pdf,” which mimics a legitimate tax document. This PDF contains a malicious link directing users to a fraudulent compliance portal.
Seqrite analysts identified that this portal immediately triggers the download of a ZIP archive while instructing users to disable their antivirus software under the guise of “compatibility issues.”
Infection Mechanism and Persistence
The technical sophistication of this campaign becomes evident once the victim engages with the downloaded payload.
The infection process utilizes a two-stage NSIS installer that unpacks multiple files to establish a foothold on the victim’s machine.
.webp "Indian Income Tax-Themed Attacking Businesses with a Multi-Stage Infection Chain 5")
The malware does not merely steal data; it installs a persistent service named NSecRTS.exe to ensure it runs automatically in the background.
This service communicates with Command and Control (C2) servers over non-standard ports, such as 48991 and 48992, as shown in the Infection Chain of the Attack figure.
Researchers noted that technical indicators, including Simplified Chinese language usage and specific code-signing certificates, suggest the tooling originated from a China-linked development environment.
This transformation from a simple phishing email to a fully operational Remote Access Trojan (RAT) highlights the critical need for vigilance against such multi-stage threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
