Full Report
A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts. The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India.
Analysis Summary
# Threat Actor: Operation DragonReturn Cluster (Suspected Silver Fox Nexus)
## Attribution & Identity
* **Actor Identification:** A suspected China-nexus threat activity cluster.
* **Aliases:** None specified for the cluster itself; the campaign is codenamed **Operation DragonReturn**.
* **Known Associations:** Researchers have identified tactical and infrastructure overlaps with **Silver Fox**, a Chinese cybercrime group known for tax-themed phishing and ValleyRAT delivery.
* **Attribution Basis:** Use of ChinaNet IP addresses, a Chinese-language C2 web management panel, and infrastructure similarities with known Chinese-aligned groups.
## Activity Summary
Observed starting around May 18, 2026, this campaign targets Indian taxpayers during the annual income tax filing season. It is a highly targeted, well-resourced operation using sophisticated lures to deliver DcRAT and other data exfiltration tools. The campaign utilizes a multi-stage infection chain involving DLL sideloading and image-based payload concealment.
## Tactics, Techniques & Procedures
* **Spear-Phishing:** Sending emails impersonating the Income Tax Department of India with legal citations and bilingual (Hindi/English) content.
* **Masquerading:** Using tax violation and penalty lures to create urgency.
* **DLL Sideloading:** Using a malicious DLL (`nvdaHelperRemote.dll`) alongside a legitimate-looking tax utility.
* **UAC Elevation:** Prompting for administrative privileges if not already present.
* **Anti-Analysis/Anti-VM:** Performing environment checks to bypass sandboxes and security research tools.
* **Steganography/Obfuscation:** Using a JPG file (`lllyd.jpg`) as a container for secondary payloads.
* **Persistence:** Registering a Windows service named "MixedSvc" (via an executable named "Mixed Reality.exe") to ensure execution on system boot.
* **Defense Evasion:** Disabling Windows AMSI scanning to prevent script-based detection.
* **Credential/Data Theft:** Capabilities for taking screenshots and systematic data exfiltration.
## Targeting
* **Sectors:** Government (Taxation/Finance), Corporate Finance Teams, and Tax Professionals.
* **Geography:** India.
* **Victims:** Indian taxpayers and professional tax entities; specific references include the Ministry of Finance (MoF) tax infrastructure.
## Tools & Infrastructure
* **Malware families used:**
* **DcRAT (DCRat):** A versatile remote access trojan used for covert access.
* **.NET Malware Loader:** Used for anti-analysis and payload decryption.
* **Custom Exfiltration Tool:** Specifically designed for screenshots and data theft.
* **Infrastructure:**
* **Phishing Landing Page:** govtop[.]one/incometax
* **Payload Delivery Server:** 204.194.48[.]250
* **C2 Server (DcRAT):** 223.26.63[.]40
* **Exfiltration Domain:** kkxqbh[.]top
## Implications
The campaign represents a shift toward highly localized and seasonal cyber espionage/crime targeting critical financial infrastructure. By impersonating government agencies during peak filing periods, the actor increases the likelihood of success. The strategic goal appears to be the collection of sensitive intelligence and financial credentials for either state-aligned intelligence requirements or large-scale financial crime.
## Mitigations
* **Email Security:** Implement advanced phishing filters that scan for links to unauthorized TLDs (like `.one`) and inspect PDF attachments.
* **Endpoint Monitoring:** Monitor for suspicious DLL sideloading activity, specifically files named `nvdaHelperRemote.dll` appearing in unusual directories.
* **UAC Governance:** Train staff to recognize illegitimate User Account Control (UAC) prompts, especially those triggered by unexpected or newly downloaded software.
* **Network Filtering:** Block known malicious IPs and domains listed in the infrastructure section.
* **User Training:** Educate finance teams on the official delivery methods of the Income Tax Department of India, noting that the department does not typically distribute ZIP-compressed offline utilities via links in emails.