GBHackers

Indian Income Tax Department Phishing Lure Deploys Gh0st RAT and AsyncRAT Implants


A targeted phishing campaign impersonating the Indian Income Tax Department has been observed delivering a sophisticated, six-stage infection chain that culminates in two in-memory remote-access implants: a Gh0st RAT derivative and a Quasar/AsyncRAT-family .NET payload.

Victims are funneled to fake government pages that mimic Ministry of Finance and Income Tax branding and are pressured with urgent compliance notices.

A secondary redirection to a faux “Microsoft Edge Secure Gateway” page manufactures legitimacy before automatically downloading a ZIP archive named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip.

The archive contains an apparently legitimate, digitally signed executable (COU_ITR-1_to_4_AY2026-27.exe) and a companion nvdaHelperRemote.dll.

Placing the malicious DLL alongside the signed binary abuses Windows’ DLL search order so the trusted process loads attacker-controlled code, providing a clean initial execution context.

Fake Microsoft verification page (Source : Cyderes).

From this sideload the campaign unfolds across six stages. The initial DLL decodes shellcode in memory and spawns a downloader that elevates via a UAC runas prompt, enforces single-instance execution using global events, and creates persistence as a service named MixedSvc with the display name “Windows Mixed Reality Service.”

The downloader fetches a polyglot file from infrastructure at 118[.]107[.]0[.]197 and saves it as C:Windowsbackground.jpg.

Howler Cell Threat Research  identified the operation relies on social engineering, signed-binary sideloading, a polyglot image carrier, and session-aware injection to achieve resilient, stealthy access across all user sessions.

That JPG is a valid image but contains multiple encrypted payload blobs appended at distinct offsets—allowing later stages to extract different components without dropping obvious artifacts.

Income Tax Department Phishing

A staged loader reflectively maps next-stage DLLs, avoiding on-disk PE writes. An injector enumerates processes and uses CreateRemoteThread and WriteProcessMemory to inject payloads into svchost.exe.

Attack Overview (Source : Cyderes).
 Attack Overview (Source : Cyderes).

Critically, a session-aware injector reassigns duplicated tokens to spawn suspended svchost.exe instances across all active sessions, injecting two separate payloads for every logged-in user.

This design ensures the implants survive session switches and reach both service and interactive contexts.

The final stage yields two independent implants injected into svchost.exe. The first is a Gh0st RAT-style payload connecting to kkxqbh[.]top:6666.

It runs fully in memory, reflectively loads zlib, CameraUtil.dll, libturbojpeg, and a custom VTCP.dll to implement a screen-capture-to-JPEG pipeline, reverse shell, file operations, and robust C2 framing (6‑byte sync + 4‑byte length, zlib compression).

The second implant is a .NET Quasar/AsyncRAT-family payload delivered via an AES-encrypted assembly that is decrypted in memory, AMSI-patched, and hosted directly by the native process’ CLR. Its C2 points to ouewop[.]com:6351 and uses Quasar-style PBKDF2-derived configuration and encrypted config blobs.

Operationally, the dual-implant architecture provides redundancy and differing detection profiles: if defenses or responders neutralize one channel, the other can retain access.

The use of a signed loader, a polyglot carrier that appears as a benign JPEG, reflective loading, and session-wide injection all emphasize evasion against file-based and platform-only protections.

This campaign’s sophistication and targeted social engineering against Indian taxpayers raise its threat rating to high.

Proactive hunting using the service name MixedSvc/“Windows Mixed Reality Service,” named global events (Globalkkctsbnn, GlobalShitSetupOn26126k), the background.jpg polyglot artifact, and the C2 domains provides rapid telemetry for detection and containment.

Incident responders should prioritize memory captures from injected svchost.exe instances, network blocklists for the observed domains/IP, and validation of signed-binary usages in user-download workflows.

IOCs

TypeIndicatorDetails
Domainimport[.]momLure hosting
Domaintqhaq[.]restLure hosting
Domaingenerate[.]latLure hosting
Domainmeoou[.]restLure hosting
Domainkattp[.]homesLure hosting
URL Path/incometaxCommon lure page path
IP118[.]107[.]0[.]197Polyglot hosting
URLhxxp[://]118[.]107[.]0[.]197/ouewo[.]jpgPolyglot download
Domainkkxqbh[.]topGh0st RAT C2
Port6666Gh0st RAT C2 port
Domainouewop[.]comAsyncRAT C2
Port6351AsyncRAT C2 port

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide



Source link