Full Report
Authors: Dixit Panchal & Soumen Burma Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Initial Mail: Email Attachment: Lure: Official GoI, Income Tax Document: Technical Analysis: Infrastructural Artefacts & Threat actor Attributions. Campaign Timeline. Conclusion: Seqrite Coverage: IOCs: MITRE ATT&CK: Introduction: Seqrite Lab actively tracks and analyse threat actors and their […] The post Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment appeared first on Seqrite Labs.
Analysis Summary
# Threat Actor: Operation DragonReturn (China-Nexus Cluster)
## Attribution & Identity
* **Actor Identification:** Identified as a China-nexus threat cluster.
* **Known Aliases:** Referred to as a "prominent and highly active threat actor" known for cyber-espionage against Asian countries. While a specific industry name (like APT#) is not explicitly finalized in this report, it is linked to known China-aligned espionage operations.
* **Associations:** Similarities in TTPs suggest alignment with established Chinese State-Sponsored APT groups focusing on regional intelligence gathering.
## Activity Summary
* **Campaign:** Operation DragonReturn (May 2026 – June 2026).
* **Overview:** A sophisticated spear-phishing campaign targeting the Indian financial ecosystem during the tax filing season. The actor deployed multi-stage DcRAT malware using high-fidelity lures impersonating the Government of India, Ministry of Finance (MoF).
* **Persistence:** The actor actively maintains the campaign by rotating malicious payloads to maintain a 0/66 detection rate on VirusTotal.
## Tactics, Techniques & Procedures
* **Spear Phishing:** Use of bilingual (Hindi/English) lures, official GoI emblems, and citations of real legal sections (Income Tax Act 271(1)(c) and 276C).
* **Impersonation:** Masquerading as the "Common Offline Utility for ITR" to gain trust.
* **Execution:** Multi-stage infection chain using `cmd.exe` and Windows Service Control (`sc.exe`) to establish persistence.
* **Bypass Mechanisms:** UAC Bypass, AMSI Bypass, and Sandbox evasion techniques were observed.
* **MITRE ATT&CK IDs:**
* T1566.001/.002: Spearphishing (Attachment/Link)
* T1543.003: Windows Service Persistence
* T1548.002: Abuse Elevation Control Mechanism (UAC Bypass)
* T1562.001: Impair Defenses (AMSI Bypass)
* T1620: Reflective Code Loading
* T1055: Process Injection
* T1497: Virtualization/Sandbox Evasion
## Targeting
* **Sectors:** Government (Ministry of Finance), Corporate Finance, Legal/Tax Consultancies, and individual taxpayers.
* **Geography:** India (Pan-India focus).
* **Victims:** Indian Corporate Companies, Chartered Accountants (CAs), Tax Professionals, Government Contractors, and individual Indian citizens.
## Tools & Infrastructure
* **Malware Families:** DcRAT (a modular Remote Access Trojan capable of data theft, keylogging, and remote control).
* **Infrastructure (Defanged):**
* **Lure Domains/URLs:** `govtop[.]one/incometax`
* **C2 Domains:** `Ikkkkddd[.]com`, `Kkxqbh[.]top`
* **C2 IPs:**
* `204[.]194[.]48[.]250`
* `118[.]107[.]0[.]197`
* `27[.]50[.]54[.]191`
* `223[.]26[.]63[.]40:2671`
## Implications
* **Strategic Espionage:** This is a resourced and sustained operation aimed at sensitive financial data and government infrastructure.
* **Socio-Political Exploitation:** The actor leverages critical seasonal events (tax filing deadlines) to maximize infection rates.
* **Threat Level:** Rated as **Critical** due to the precision of the lures and the successful evasion of standard security software.
## Mitigations
* **User Training:** Educate employees, especially in finance and accounting, to verify the source of tax-related communications and utility downloads.
* **Technical Controls:**
* Monitor for unauthorized use of `sc.exe` for service creation and suspicious `cmd.exe` child processes.
* Block known IoC domains/IPs at the perimeter (Firewall/Web Proxy).
* Implement Advanced Endpoint Protection (EDR) capable of detecting memory-only reflective code loading and AMSI patching.
* **Validation:** Use only official government portals (`incometax.gov.in`) for downloading any tax filing utilities.