← Back to news

Cybercriminals exploit India’s tax filing season with a dual-malware campaign

CSO Online08/07/2026, 11:53
Read full article →

Summary

AI-Generated

Key Points:

  • Cybercriminals are executing a dual-malware campaign exploiting India's tax filing season, utilizing phishing emails that masquerade as communications from the Indian Tax Department to deliver two remote access trojans (RATs).
  • The attack impacts users who download malicious files disguised as legitimate tax utilities, leading to persistent access via Gh0st RAT and a .NET-based implant from the QuasarRAT/AsyncRAT family.
  • Recommended actions include implementing behavioral detection mechanisms, monitoring for DLL sideloading, unexpected service creation, and in-memory execution activities, rather than relying solely on traditional EDR signatures.

Technical Details: The malware campaign employs techniques such as DLL side-loading and process injection to evade detection while leveraging legitimate Windows binaries. The use of two distinct RAT families enhances operational resilience against detection efforts.

MITRE ATT&CK Techniques:

  • T1566 - Phishing (Initial Access)
  • T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
  • T1203 - User Execution (Execution)
  • T1055.001 - Process Injection: Dynamic-link Library Injection (Execution)
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys (Persistence)

IOCs Mentioned:

  • Malicious file names, C2 infrastructure domains, file hashes associated with both RAT families were disclosed in the report. Specific IOCs were not detailed in the summary provided.

Join the discussion — sign up to comment, upvote, and save articles.

Discussion

or to comment
Loading...

Loading comments...

Join 5,000+ security professionals

Get access to curated threat intel, upvote articles, join discussions, and build your karma in the SOC community.