A targeted phishing campaign impersonating the Indian Income Tax Department has been observed delivering a sophisticated, six-stage infection chain that culminates in two in-memory remote-access implants: a Gh0st RAT derivative and a Quasar/AsyncRAT-family .NET payload.
Victims are funneled to fake government pages that mimic Ministry of Finance and Income Tax branding and are pressured with urgent compliance notices.
A secondary redirection to a faux “Microsoft Edge Secure Gateway” page manufactures legitimacy before automatically downloading a ZIP archive named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip.
The archive contains an apparently legitimate, digitally signed executable (COU_ITR-1_to_4_AY2026-27.exe) and a companion nvdaHelperRemote.dll.
Placing the malicious DLL alongside the signed binary abuses Windows’ DLL search order so the trusted process loads attacker-controlled code, providing a clean initial execution context.
From this sideload the campaign unfolds across six stages. The initial DLL decodes shellcode in memory and spawns a downloader that elevates via a UAC runas prompt, enforces single-instance execution using global events, and creates persistence as a service named MixedSvc with the display name “Windows Mixed Reality Service.”
The downloader fetches a polyglot file from infrastructure at 118[.]107[.]0[.]197 and saves it as C:Windowsbackground.jpg.
Howler Cell Threat Research identified the operation relies on social engineering, signed-binary sideloading, a polyglot image carrier, and session-aware injection to achieve resilient, stealthy access across all user sessions.
That JPG is a valid image but contains multiple encrypted payload blobs appended at distinct offsets—allowing later stages to extract different components without dropping obvious artifacts.
Income Tax Department Phishing
A staged loader reflectively maps next-stage DLLs, avoiding on-disk PE writes. An injector enumerates processes and uses CreateRemoteThread and WriteProcessMemory to inject payloads into svchost.exe.

Critically, a session-aware injector reassigns duplicated tokens to spawn suspended svchost.exe instances across all active sessions, injecting two separate payloads for every logged-in user.
This design ensures the implants survive session switches and reach both service and interactive contexts.
The final stage yields two independent implants injected into svchost.exe. The first is a Gh0st RAT-style payload connecting to kkxqbh[.]top:6666.
It runs fully in memory, reflectively loads zlib, CameraUtil.dll, libturbojpeg, and a custom VTCP.dll to implement a screen-capture-to-JPEG pipeline, reverse shell, file operations, and robust C2 framing (6‑byte sync + 4‑byte length, zlib compression).
The second implant is a .NET Quasar/AsyncRAT-family payload delivered via an AES-encrypted assembly that is decrypted in memory, AMSI-patched, and hosted directly by the native process’ CLR. Its C2 points to ouewop[.]com:6351 and uses Quasar-style PBKDF2-derived configuration and encrypted config blobs.
Operationally, the dual-implant architecture provides redundancy and differing detection profiles: if defenses or responders neutralize one channel, the other can retain access.
The use of a signed loader, a polyglot carrier that appears as a benign JPEG, reflective loading, and session-wide injection all emphasize evasion against file-based and platform-only protections.
This campaign’s sophistication and targeted social engineering against Indian taxpayers raise its threat rating to high.
Proactive hunting using the service name MixedSvc/“Windows Mixed Reality Service,” named global events (Globalkkctsbnn, GlobalShitSetupOn26126k), the background.jpg polyglot artifact, and the C2 domains provides rapid telemetry for detection and containment.
Incident responders should prioritize memory captures from injected svchost.exe instances, network blocklists for the observed domains/IP, and validation of signed-binary usages in user-download workflows.
IOCs
| Type | Indicator | Details |
|---|---|---|
| Domain | import[.]mom | Lure hosting |
| Domain | tqhaq[.]rest | Lure hosting |
| Domain | generate[.]lat | Lure hosting |
| Domain | meoou[.]rest | Lure hosting |
| Domain | kattp[.]homes | Lure hosting |
| URL Path | /incometax | Common lure page path |
| IP | 118[.]107[.]0[.]197 | Polyglot hosting |
| URL | hxxp[://]118[.]107[.]0[.]197/ouewo[.]jpg | Polyglot download |
| Domain | kkxqbh[.]top | Gh0st RAT C2 |
| Port | 6666 | Gh0st RAT C2 port |
| Domain | ouewop[.]com | AsyncRAT C2 |
| Port | 6351 | AsyncRAT C2 port |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide

