Cybercriminals are exploiting India’s tax season by launching sophisticated phishing campaigns that impersonate the Income Tax Department to deliver dangerous malware to unsuspecting taxpayers.
The malicious operation uses fake assessment notices and tax compliance warnings to trick victims into downloading malware-laden files that grant attackers persistent access to compromised systems.
The phishing campaign, which has been active since October 2025, specifically targets multinational organizations headquartered in the UK and the US with operations or subsidiaries in India.
Mimecast’s Threat Research team uncovered this highly targeted operation that delivers dangerous payloads designed to steal data and enable long-term system compromise.
The attackers send deceptive emails claiming serious tax violations under Section 271(1)(c) of the Income Tax Act, alleging concealment of income or inaccurate filings.
Malware Delivery Mechanism
The attack begins with phishing emails that create intense pressure by demanding recipients review alleged “violations” within 72 hours via an embedded link.
When victims click the malicious link, they are redirected to a convincing fake government webpage presented in both Hindi and English, featuring a “Download Documents” button.
The fraudulent portal hosted on domains like zyisykm[.]shop mimics legitimate Income Tax Department communications with official-looking logos and formal language.
Clicking the download button triggers a Visual Basic script disguised as a tax notice, which silently establishes persistence on the victim’s machine, creates hidden folders, and downloads a second-stage payload.
The multi-stage infection process uses NSIS droppers and password-protected ZIP files containing malicious executables that deploy Remote Access Trojans (RATs).
The campaign frequently delivers the XRed trojan, an advanced backdoor malware that has been circulating since at least 2019.
XRed provides attackers with extensive capabilities including keylogging to steal credentials for emails, banking, and cryptocurrency accounts.
The malware collects sensitive system information such as username, MAC address, and computer name, transmitting this data to attacker-controlled servers.
XRed enables remote control through various commands that allow attackers to capture screenshots, access the command line, and list, download, or delete files from infected systems.
The trojan employs sophisticated persistence mechanisms by creating Windows Registry Run keys to ensure automatic startup and utilizing a mutex named “Synaptics2X” to prevent multiple instances.
Additionally, XRed exhibits worm-like behavior by spreading through USB drives using autorun inf files.
Malicious Infrastructure
The campaign operates through multiple compromised domains including googlevip[.]shop, dadasf[.]qpon, googleaxc[.]shop, and googlem[.]com, along with the mentioned zyisykm[.]shop.
These domains host fake Income Tax Department portals that closely mimic official government websites to deceive victims.
The attackers leverage both trojanized legitimate software and hardware drivers to distribute the malware, making detection exceptionally difficult.
The Income Tax Department and Press Information Bureau have repeatedly issued warnings about these fraudulent communications.
Authorities emphasize that the department never asks taxpayers to share passwords, OTPs, or bank details via email, SMS, or phone calls. The fraudulent messages often contain minor spelling errors and fake links designed to appear genuine.
Taxpayers should verify all tax-related information only through the official Income Tax Department website and avoid clicking suspicious links in unexpected emails.
Legitimate assessment orders are only available through the authenticated e-filing portal at incometax.gov.in, not through external domains or direct download links.
To protect against this campaign, users should scrutinize sender email addresses, as government agencies never use public webmail services like Outlook.com for official communication.
Never download attachments or click links from unsolicited tax-related emails, especially those creating urgency with penalty threats.
Enable robust endpoint protection with updated antivirus software capable of detecting VBScript-based threats and suspicious registry modifications.
Organizations should implement email filtering solutions to block phishing attempts and conduct regular security awareness training focused on tax-themed social engineering attacks.
System administrators should monitor for unusual outbound SMTP traffic and connections to non-standard ports that may indicate C2 communication.
If you receive a suspicious tax notice, verify its authenticity by logging directly into the official e-filing portal rather than following embedded links.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
