Watch out that income tax form could actually be dangerous malware
Date:
Sun, 28 Jun 2026 16:10:00 +0000
Description:
Researchers uncovered a fake tax notice campaign that delivered remote-access malware via staged downloads and encrypted communications.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Fake tax notices are becoming delivery vehicles for sophisticated remote access malware Attackers hide malicious code behind convincing government branding and legal references The malware quietly establishes encrypted communication with servers outside the country A new phishing campaign is using fake income tax assessment notices
to deliver dangerous malware to unsuspecting victims across India.
Researchers at CYFIRMA identified the operation, which relies on a fraudulent website built to resemble official communication from the Indian Income Tax Department closely. The fake portal, hosted on a recently registered domain, presents a convincing assessment order complete with legal references, financial penalties, and urgent compliance language designed to pressure recipients into acting quickly. Latest Videos From Watch full video here: How the infection unfolds Victims who interact with the fake notice are prompted to download a ZIP archive disguised as official assessment documentation and supporting calculations.
Once extracted, that archive reveals a disk image file functioning as a container for the actual malicious payload. You may like HP warns hackers are turning popular remote access tools into dangerous, stealthy backdoors New WhatsApp phishing campaign allows for remote access from a single business document Experts warn that free image editor tool could actually be dangerous malware
Inside sits a loader program that quietly triggers a second component, a DLL file disguised to resemble a legitimate Windows service.
Researchers found that this loader uses reflection-based techniques specifically built to make automated detection and analysis considerably more difficult. Are you a pro? Subscribe to our newsletter Sign up to the
TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
or sponsors By submitting your information you agree to the Terms &
Conditions and Privacy Policy and are aged 16 or over.
Both files were obfuscated using a known protection tool, further
complicating efforts by security teams to inspect the code.
Once active, the payload behaves like a Remote Access Trojan, granting attackers persistent, encrypted access to the infected machine.
It can collect system details, monitor user activity, check which security software is installed, and silently load additional malicious components on command. What to read next Hackers are establishing persistence in
hospitality and hotels by posing as guests with poisoned ZIP archives, but no one knows what their plan is Huge hacking campaign uses spoofed Ghidra,
dnSpy, and SpiderFoot security tools to harvest ad revenue and serve malware New 'scareware' attack hits 2.8 million victims, pretending to lock them out of your browser
Communication with the attacker's server happens over an encrypted channel, using a hardcoded address traced to infrastructure based in Hong Kong.
These capabilities point toward a financially motivated operation, rather
than one focused on immediate damage or disruption, and they closely resemble traits associated with known commodity RAT families such as XWorm.
However, researchers note that conclusive attribution to a specific threat actor remains unconfirmed at this stage. Why this campaign matters This is
not an isolated phishing attempt but part of a broader pattern of attackers exploiting tax season anxiety to bypass user caution entirely.
CYFIRMA's findings show the same loader-and-payload architecture has previously been linked to ransomware operators, suggesting this
infrastructure may serve more than one type of attack depending on the
victim.
Up-to-date antivirus software with behavioral detection remains one practical defence against this kind of staged, multi-component malware delivery.
Security researchers recommend that individuals verify any tax-related correspondence directly through official government channels rather than clicking embedded links.
Organizations are advised to restrict the execution of unknown files arriving through archives or disk images, since this campaign relies heavily on that exact delivery method to succeed. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/watch-out-that-income-tax-form-could-ac tually-be-dangerous-malware
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)