CISOOnline

Cybercriminals exploit India’s tax filing season with a dual-malware campaign

Once the victims are lured into downloading and opening the archives posing as legitimate Income Tax Department utilities, trusted Windows executables are abused to load malicious DLLs. This allows the malware to borrow the legitimacy of signed binaries while sidestepping security controls.

“The infection begins with ‘COU_ITR-1_to_4_AY2026-27.exe’, a legitimate and digitally signed binary that the attacker repurposes as a launcher,” the researchers said, adding that it is a known technique where an attacker “places a malicious library in a path the trusted binary will check first, giving the malware a clean entry point.”

The campaign then runs its subsequent infection stages, which employ multiple defense-evasion techniques, including anti-analysis checks, AMSI patching, encrypted in-memory execution of .NET assemblies, and session-aware process injection into svchost.exe.



Source link