Threat researchers reported an espionage-focused phishing operation dubbed SyncFuture targeting individuals in India by impersonating the country’s Income Tax Department. Victims were lured with urgent “tax penalty/compliance” notices (including distribution via SendGrid in some cases) that delivered a ZIP archive masquerading as a government document review tool; opening it launched a multi-stage infection chain designed to establish long-term access. Analysis attributed the discovery to eSentire’s Threat Response Unit, which documented the use of DLL side-loading with legitimate Microsoft-signed applications, privilege escalation via a COM-based UAC bypass, and process masquerading (e.g., appearing as explorer.exe) to reduce detection.
The campaign also demonstrated notable defense evasion by abusing trusted software and user interaction: it leveraged Microsoft-signed binaries and ultimately deployed a legitimate enterprise management/security platform repurposed as the final payload for persistent remote control and surveillance, described as a commercial-grade Chinese IT management tool used for spying. Researchers also observed an unusual technique to evade Avast Free Antivirus by simulating mouse movements and clicks to navigate the product UI and disable/evade protections, underscoring a “living off trusted tools” approach rather than relying solely on custom malware components.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
In January 2026, eSentire’s Threat Response Unit disclosed the campaign, naming it 'SyncFuture' and detailing its multi-stage infection chain, use of legitimate signed binaries, and long-term surveillance objectives. Researchers said the activity had not been attributed to a known threat actor, though some reporting described it as China-linked.
Analysis of the malware revealed a tailored evasion technique against Avast Free Antivirus, using simulated mouse movements and clicks to add malicious files to the product’s exclusion list. This indicated attacker testing and customization against specific defensive software.
The intrusion chain used DLL sideloading, anti-analysis checks, a COM-based UAC bypass, and process masquerading before delivering a Blackmoon variant and the legitimate Chinese SyncFuture Terminal Security Management System as a surveillance platform. The final tooling enabled persistence, remote control, screen recording, file tracking, and data exfiltration.
In early December 2025, attackers launched a phishing campaign impersonating India’s Income Tax Department, using tax penalty lures and malicious ZIP archives to target users in India. The operation was assessed as espionage-focused rather than financially motivated.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcescworld.com
Open sourcethehackernews.com
Open sourcecybersecuritynews.com
Open sourcesecurityonline.info
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.