A comprehensive phishing operation began targeting Indian companies in November 2025 by impersonating the Income Tax Department of India.
The campaign employed remarkably authentic government communication templates, bilingual messaging in Hindi and English, and legal references to sections of the Income Tax Act to create a sense of legitimacy and urgency.
The emails warned recipients of alleged tax irregularities and demanded that they submit documents within 72 hours, using psychological pressure as a primary weapon to drive users to open malicious attachments.
The attack delivered a sophisticated two-stage malware chain that began with password-protected ZIP files containing shellcode loaders and later evolved to use Google Docs links for secondary payload delivery.
The final payload was a Remote Access Trojan designed to grant attackers complete control over compromised systems, including capabilities for screen sharing, file transfer, and remote command execution.
The campaign specifically targeted securities firms, financial companies, and non-banking financial corporations that regularly exchange regulatory documents with government agencies.
Raven security analysts identified the zero-day phishing campaign by recognizing multiple layers of inconsistency within the attack structure, ultimately preventing widespread infection across targeted organizations.
Infection mechanism of this campaign
The infection mechanism of this campaign reveals a carefully engineered approach to evasion.
Initial phishing emails originated from legitimate QQ.com free email accounts that passed SPF, DKIM, and DMARC authentication checks, a critical factor in bypassing traditional email security filters.
.webp "New Phishing Attack Mimic as Income Tax Department of India Delivers AsyncRAT 3")
The attachments used password protection to prevent antivirus engines from scanning their contents during transit.
.webp "New Phishing Attack Mimic as Income Tax Department of India Delivers AsyncRAT 4")
When users extracted the ZIP files with passwords provided in the emails, they encountered executable files named “NeededDocuments” that contained shellcode designed to execute through regsvr32 proxy loading.
This technique, commonly known as fileless execution, allowed the malware to load a hidden DLL directly into memory without writing detectable signatures to the disk.
The shellcode established persistence mechanisms, harvested stored credentials from the victim’s system, and opened communication channels to remote command servers associated with AsyncRAT infrastructure.
Some variants used Google Docs as a trusted hosting platform for the second stage, exploiting the inherent trust placed in legitimate cloud services by corporate security filters.
The combination of clean sender authentication, password-protected payloads, legitimate cloud infrastructure, and regsvr32 proxy execution created a nearly invisible attack chain that rendered signature-based detection methods ineffective.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
