A sophisticated phishing campaign targeting Indian entities has been attributed to the SideWinder advanced persistent threat group. Attackers impersonate the Indian Income Tax Department by sending tax-themed emails that urge recipients to review an inspection document. These emails contain links to a fake tax portal closely mimicking the legitimate government site, which then delivers a malicious ZIP archive. The archive includes a renamed, signed Microsoft Defender binary and a malicious DLL, exploiting DLL side-loading to install a Windows backdoor. The malware performs geofencing by checking the victim's timezone and only proceeds if it matches South Asian regions, thereby targeting Indian organizations specifically. Once installed, the backdoor enables file theft, data capture, and remote control by the attackers, with connections observed to known SideWinder command-and-control servers.
Security researchers have noted a surge in tax-themed phishing and malware campaigns during the Indian tax filing season, leveraging public discussions about refunds to increase credibility. The spear-phishing emails often originate from suspicious domains and use embedded images to bypass spam filters, further enhancing their effectiveness. The infection chain is multi-stage, ultimately deploying persistent remote access trojans or infostealers. These campaigns highlight the evolving tactics of threat actors in targeting Indian businesses and government-related entities through highly convincing social engineering and technical subterfuge.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Investigators reported Chinese-language components, code-signing artifacts, and other development clues suggesting the operation may be tied to a China-linked actor; one report attributed the activity to SideWinder APT. Researchers also published technical indicators including file hashes, C2 infrastructure, and network details to support detection and response.
Technical analysis revealed that the campaign used multi-stage installers, including NSIS-based payloads and DLL side-loading, to deploy a persistent Windows backdoor/RAT. The malware established services for persistence, used evasion techniques such as delayed execution and geofencing, and enabled remote access, file theft, and data collection.
During India's tax filing season, attackers launched a spear-phishing campaign impersonating the Indian Income Tax Department and sending fake compliance notices to local businesses. The lures directed victims to fraudulent tax/compliance portals that delivered malicious ZIP archives.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcecybersecuritynews.com
Open sourceseqrite.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.