Researchers reported a suspected China-linked phishing campaign targeting Indian taxpayers, tax professionals, and corporate finance teams by impersonating the Income Tax Department of India. The operation, tracked as Operation DragonReturn, used tax-themed emails to lure victims into opening malicious archives and virtual disk files that triggered multi-stage infections through DLL side-loading and hijacking. Observed activity began in mid-May, and investigators said the infrastructure and tradecraft show overlaps with the China-associated group Silver Fox.
The malware chains ultimately deployed remote access trojans including DCRat and ValleyRat, along with secondary payloads for screenshots and data exfiltration. Researchers said the intrusions relied on anti-analysis checks, UAC elevation, image-based payload concealment, encrypted in-memory execution, AMSI bypass, process injection, and persistence via Windows services and the registry. The implants were also capable of downloading additional encrypted modules from command-and-control servers, giving attackers covert, persistent access to victim systems.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Cyderes detailed a six-stage infection chain in the fake Indian tax notice campaign that ultimately injects two implants into svchost.exe: a Gh0st RAT derivative and a Quasar/AsyncRAT-family .NET implant. The report also identified command-and-control endpoints kkxqbh[.]top:6666 and ouewop[.]com:6351, along with AMSI patching, in-memory CLR hosting, and session-aware process injection.
Researchers reported a social engineering campaign impersonating the Indian Income Tax Department and using DLL side-loading and multi-stage execution to deploy remote access trojans. Across reporting, the activity was linked to suspected China-nexus operators, with one analysis noting overlaps suggesting possible ties to Silver Fox.
Seqrite Labs observed a suspected China-nexus campaign targeting Indian taxpayers, tax professionals, and corporate finance teams beginning on May 18, 2026. The operation used spear-phishing emails impersonating the Income Tax Department of India to deliver malware via a fake tax filing utility.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcecryptika.com
Open sourcecommunity.gurucul.com
Open sourcecyderes.com
Open sourcethehackernews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.