Cybercriminals are exploiting India’s tax filing season with a new malware campaign that refuses to put all its eggs in one basket.
Researchers at Cyderes have uncovered a sophisticated phishing operation that poses as the Indian Tax Department to deliver two remote access trojans (RATs) through a multi-stage infection chain, giving attackers persistent access to compromised systems.
Indians receive fake tax assessment emails that pressure them into downloading what appears to be an official ITR utility. But the convincing government branding hides a carefully engineered infection sequence that abuses legitimate Windows binaries, DLL side-loading, in-memory execution, and process injection to gain persistent access.
According to Cyderes, the operation deploys a Gh0st RAT derivative and a .NET-based implant related to the QuasarRAT/AsyncRAT family, each communicating with separate command-and-control (C2) servers.
“The dual-implant design gives the attacker redundant access even if one channel is blocked or detected,” Cyderes researchers said in a blog post.
A stealthy, multi-stage infection chain
To avoid detection, the campaign layers its execution chain, rather than dropping malware immediately after initial access.
Once the victims are lured into downloading and opening the archives posing as legitimate Income Tax Department utilities, trusted Windows executables are abused to load malicious DLLs. This allows the malware to borrow the legitimacy of signed binaries while sidestepping security controls.
“The infection begins with ‘COU_ITR-1_to_4_AY2026-27.exe’, a legitimate and digitally signed binary that the attacker repurposes as a launcher,” the researchers said, adding that it is a known technique where an attacker “places a malicious library in a path the trusted binary will check first, giving the malware a clean entry point.”
The campaign then runs its subsequent infection stages, which employ multiple defense-evasion techniques, including anti-analysis checks, AMSI patching, encrypted in-memory execution of .NET assemblies, and session-aware process injection into svchost.exe.
The multiple attack stages include DLL sideloading, privilege checking to ensure the attack process is running with admin rights, and session-aware payload injection.
Dual implants for operational resilience
The campaign was particularly flagged for its deliberate use of two distinct RAT families rather than relying on a single backdoor.
While one implant is based on the long-running Gh0st RAT lineage, the second belongs to the QuasarRAT/AsyncRAT ecosystem. Both provide remote administration capabilities, allowing attackers to execute commands, collect data, deploy additional payloads, and maintain long-term access to infected endpoints.
Each of these RATs communicates with a dedicated command-and-control (c2) infrastructure, likely to survive detection and blocking of either during incident response.
Cyderes recommended focusing on behavioral detections rather than relying solely on EDR signatures, as the campaign abuses trusted Windows components and in-memory execution. Key indicators include DLL sideloading, unexpected service creation, AMSI tampering, native processes hosting the .NET runtime, and process injection into svchost.exe.
The disclosure also provided a detailed set of IOCs, including file hashes, malicious domains, C2 infrastructure, and host artifacts associated with both RAT families.
No Responses