In December 2025, threat researchers uncovered an alarming espionage operation targeting residents of India through sophisticated phishing campaigns.
The attack, dubbed SyncFuture, demonstrates how cybercriminals can abuse legitimate business software as a vehicle for launching advanced malware attacks.
Attackers sent fraudulent emails impersonating India’s Income Tax Department, tricking victims into downloading malicious files containing multiple stages of malicious code.
The infection chain reveals remarkable technical sophistication. Victims who opened the files received a ZIP archive containing what appeared to be a government document review tool.
.webp "'SyncFuture' Campaign Weaponizing Legitimate Enterprise Security Software to Deploy Malware 2")
Instead, the archive held a weaponized executable that would begin a multi-stage attack sequence designed to gain complete control over infected computers and maintain long-term access.
eSentire analysts and researchers identified this campaign and documented how it combines multiple attack techniques to evade security defenses and establish persistent access.
.webp "'SyncFuture' Campaign Weaponizing Legitimate Enterprise Security Software to Deploy Malware 4")
The threat actors employed legitimate Microsoft-signed binaries, automated evasion tactics, and ultimately repurposed a genuine enterprise management platform as their final payload—a particularly troubling indicator of the campaign’s sophistication and resources.
Avast Antivirus Evasion Through Automated Mouse Simulation
The SyncFuture campaign demonstrates advanced detection evasion tactics, particularly targeting Avast Free Antivirus through a technique most wouldn’t expect from automated malware.
When the malware detected Avast running on a victim’s machine, it deployed an innovative approach: simulating mouse movements and clicks to navigate Avast’s interface automatically.
.webp "'SyncFuture' Campaign Weaponizing Legitimate Enterprise Security Software to Deploy Malware 5")
This technique is noteworthy because it shows attackers studying specific antivirus products in detail.
The malware would locate the Avast detection dialog window, then programmatically move the cursor to hardcoded screen coordinates and click on options that create security exceptions.
By simulating human-like user actions rather than attempting to disable the antivirus entirely, the malware successfully added itself to Avast’s exclusion list, effectively whitelisting the malicious files.
.webp "'SyncFuture' Campaign Weaponizing Legitimate Enterprise Security Software to Deploy Malware 6")
This persistence mechanism allowed the threat actor’s tools to operate undetected by the antivirus software.
The batch scripts analyzed contained conditional logic specifically checking whether Avast was running, demonstrating that attackers had thoroughly tested and customized their malware for different antivirus environments.
This infection mechanism represents a significant evolution in malware sophistication—moving beyond simple evasion toward targeted manipulation of specific security products to achieve their long-term espionage objectives.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
