A sophisticated phishing campaign has been uncovered targeting Indian organizations using income tax-themed lures. The attackers distribute emails with attachments that closely mimic official documents from the Indian Income Tax Department, enticing recipients to open malicious files. Technical analysis reveals that the campaign employs a Nullsoft Scriptable Install System (NSIS) installer to drop and execute payloads, ensuring persistence and reliability by leveraging temporary directories and custom working folders. The campaign's infrastructure includes the use of domains such as ggwk[.]cc and the delivery of executables like "tax affairs.exe" to compromise victims.
Attribution analysis by CloudSEK indicates that this campaign is linked to a Chinese APT group, contradicting previous misattributions to India-aligned actors such as SideWinder. The attackers' tactics, techniques, and procedures (TTPs) demonstrate a sophisticated kill chain, with the phishing lures and payload delivery mechanisms designed to evade detection and maximize the likelihood of successful compromise. Accurate attribution is emphasized as critical for effective defense, as misattribution can lead to misdirected security efforts and allow the true adversary to operate undetected.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Analysis of the malware used in the campaign linked it to China-associated threat activity, including Valley RAT delivered through a Donut-based loader and process hollowing. Researchers documented rotating command-and-control infrastructure, registry-based persistence, and plugin injection into signed Windows utilities.
Attackers launched a phishing campaign impersonating the Indian Income Tax Department and using a "Tax Compliance" lure to trick victims into downloading malware. The activity targeted Indian organizations and individuals with government-themed social engineering.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.