A sophisticated phishing campaign impersonating the Indian Income Tax Department is targeting local businesses with malware capable of long-term surveillance and remote control.
By exploiting the urgency and familiarity of tax compliance notices, attackers are luring victims into triggering a multi-stage infection chain that ends with the deployment of a persistent remote access trojan (RAT).
The email “… contains no text at all. Instead, it features a single embedded image crafted to resemble an authentic ITD notice. This tactic helps bypass text-based spam filters and keyword detection in the email body,” said Seqrite researchers.
Inside the Tax-Themed Malware Infection Chain
The attack begins with a spear-phishing email spoofed to appear as an official ITD communication.
The message includes a PDF attachment labeled Review Annexure.pdf, which reinforces the narrative that the recipient has failed to comply with a prior tax notice.
The PDF directs victims to a fraudulent ITD Compliance Portal hosted on an attacker-controlled domain. Visiting the site immediately triggers a forced download of a ZIP archive containing a large, digitally signed executable.
The site further instructs users to disable antivirus software due to alleged compatibility issues — an instruction commonly associated with malware delivery attempts.
Once executed, the malware deploys a two-stage NSIS-based installer.
The first stage acts as a loader, silently unpacking and launching a second-stage installer before cleaning up its own artifacts.
The second stage installs a large collection of binaries, drivers, and tools into a hidden system directory, establishing persistence through a Windows service masquerading as a legitimate security component.
The implant then harvests system information, tracks user activity, and communicates with multiple command-and-control (C2) servers over non-standard ports using encrypted channels.
The overall behavior closely resembles a full-featured RAT rather than a simple infostealer, enabling attackers to maintain long-term control over infected systems.
Reducing Risk From Multi-Stage Phishing Campaigns
Modern phishing campaigns increasingly combine social engineering with multi-stage malware delivery, making traditional defenses insufficient on their own.
Reducing risk requires layered controls that address email security, endpoint execution, identity protection, and network visibility.
- Strengthen email security by blocking known malicious domains, scanning image-only emails and PDFs, and sandboxing attachments and URLs before delivery.
- Restrict execution of untrusted installers by disabling executable launches from user-writable directories and enforcing application allowlisting.
- Enforce phishing-resistant MFA, remove unnecessary local administrator rights, and apply least-privilege access controls across endpoints and applications.
- Monitor endpoints and networks for suspicious installer execution, new or masquerading Windows services, and outbound connections over unusual ports.
- Implement network segmentation and egress filtering to limit command-and-control communications and reduce lateral movement opportunities.
- Improve human and incident readiness through targeted security awareness training, phishing simulations, credential rotation after exposure, and rapid response playbooks.
Implementing these measures can help organizations limit attacker movement and improve response readiness.
Modern Phishing Poses Greater Risk
This campaign demonstrates how threat actors increasingly align social engineering tactics with real-world events and regulatory processes to increase credibility and success rates.
As malware delivery chains grow more complex and discreet, phishing emails are evolving from simple credential-harvesting attempts into reliable entry points for broader system compromise, requiring closer scrutiny from security teams.
Phishing-driven compromise is prompting organizations to reevaluate implicit trust models and adopt zero-trust approaches that verify access at every stage.