A China-nexus espionage campaign dubbed Operation DragonReturn has targeted India’s tax ecosystem by impersonating the Income Tax Department and distributing a fake filing utility during the AY2026-27 tax season. Researchers said the operation used a lure hosted at govtop[.]one/incometax to deliver a ZIP archive posing as Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip, aiming at taxpayers, tax professionals, corporate finance teams, and government-linked tax infrastructure. Seqrite and Gurucul assessed the activity with medium-to-high confidence as aligned with a China-linked cluster based on infrastructure overlaps, Chinese-language artifacts, and tradecraft similarities to RAT-focused espionage operations active across Asia.
The infection chain deployed DcRAT through multiple stages, using image-based payload concealment in background.jpg, process injection into svchost.exe, AMSI bypass, and fileless execution of a decrypted .NET assembly in memory. Persistence was established through a Windows service named MixedSvc masquerading as “Windows Mixed Reality Service,” while command-and-control traffic was observed over encrypted TLS to 223.26.63.40:2671, with related infrastructure tied to kkxqbh[.]top, 1kkkkddd.com, and additional domains, IPs, and SHA-256 indicators published by Gurucul. Researchers said the operators rotated payloads every 7–10 days, and at least one variant initially showed 0/66 detections on VirusTotal, underscoring the campaign’s emphasis on stealth and intelligence collection.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Gurucul published additional reporting on Operation DragonReturn, describing it as a high-severity China-nexus cyber-espionage campaign targeting India’s tax infrastructure. The content included indicators of compromise such as domains, IP addresses, SHA-256 hashes, and example detection queries.
Seqrite publicly reported Operation DragonReturn and assessed with medium-to-high confidence that it was linked to a China-aligned threat cluster. The report described infrastructure overlaps, Chinese-language artifacts, Silver Fox TTP similarities, process injection into svchost.exe, AMSI bypass, and fileless execution of a decrypted .NET assembly.
Unit 42 reported threat activity tracked as CL-STA-1062 targeting government entities and critical infrastructure organizations in Southeast Asia for espionage. The attackers used a hybrid toolkit that included a custom backdoor named TinyRCT and focused on intelligence collection rather than disruption.
Seqrite Threat Research Unit publicly reported the targeted campaign against Thailand’s healthcare ecosystem and assessed with moderate confidence that it was a coordinated effort using a standardized toolset. The report detailed credential theft, browser data collection, local staging, ZIP compression, and attempted Telegram-based exfiltration.
Seqrite reported that Operation DragonReturn was still active as of June 17, 2026, with payloads rotating every 7–10 days. The campaign used infrastructure tied to multiple domains and an IP address for encrypted TLS command-and-control communications.
Seqrite reported that the Thailand healthcare-targeting malware campaign was observed from April 7, 2026 through June 3, 2026, indicating sustained activity over nearly two months. All identified samples were reportedly uploaded from Thailand, suggesting local staging infrastructure or compromised in-country systems.
Seqrite first observed Operation DragonReturn, a spear-phishing campaign impersonating India’s Income Tax Department to target taxpayers, tax professionals, corporate finance teams, and related entities during the AY2026-27 filing season. The campaign delivered a fake tax utility ZIP that installed a multi-stage malware chain culminating in DcRAT-related payloads.
Seqrite observed an active malware campaign targeting Thailand’s healthcare sector, including Ministry of Health personnel and affiliated healthcare organizations, using healthcare-themed spear-phishing lures in malicious RAR archives. The infection chain used obfuscated batch scripts, GitHub-hosted payloads, Startup-folder persistence, and a Python-based information stealer that attempted exfiltration via the Telegram Bot API.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
community.gurucul.com
Open sourcemalware.news
Open sourcemalware.news
Open sourcemalware.news
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.