A suspected China-nexus threat activity cluster has been observed targeting Indian taxpayers, tax professionals, and corporate finance teams to deliver a remote access trojan designed to steal sensitive data from compromised hosts.
The multi-stage campaign, codenamed Operation DragonReturn by Seqrite Labs, involves sending spear-phishing emails impersonating the Income Tax Department of India. It was first observed on May 18, 2026. The activity, per the cybersecurity company, coincides with the annual income tax filing season in the country.
"It is not opportunistic – the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem," security researchers Dixit Panchal and Soumen Burma said.
The end goal of the campaign is assessed to be the deployment of malware for financial gain or sensitive data theft.
The attack chains begin with phishing messages masquerading as India's income tax department, using tax violations and penalty lures to induce a false sense of urgency and trick users into clicking on a malicious link ("govtop[.]one/incometax") embedded within PDF attachments.
The bogus landing page, for its part, instructs users to download a ZIP archive containing what appears to be a common offline utility provided by the department to file tax returns, but, in reality, is engineered to sideload a malicious DLL ("nvdaHelperRemote.dll"), which, in turn, injects another payload into memory.
This payload ensures it's running with administrative privileges, and if not, triggers a User Account Control (UAC) prompt to get the user to run it with elevated permissions. Once launched, it performs checks to avoid executing within analysis and sandboxed environments, and then retrieves a JPG image ("lllyd.jpg") from a hard-coded server ("204.194.48[.]250") and stores it as "C:\Windows\background.jpg."
"This image file is used as a container for a secondary payload, from which a 504 KB DLL is extracted and written to 'C:\Program Files\Windows Media Player\nvdaHelperRemote.dll,'" Seqrite Labs explained. "After extracting the payload, the malware copies itself as 'Mixed Reality.exe' and establishes persistence by creating a Windows service named MixedSvc, configured to start automatically on system boot."
"This behaviour confirms that the sample functions as a downloader and installer, using image-based payload concealment and Windows service persistence to maintain long-term access to the infected system."
The "Mixed Reality.exe" binary is responsible for deploying two different payloads, one of which is a .NET malware loader that carries out anti-analysis checks, establishes persistence, disables Windows AMSI scanning, and decrypts and loads DCRat on the infected machine. The second payload features capabilities to take screenshots and exfiltrate data to a remote server ("kkxqbh[.]top").
Exactly who is behind the activity is unclear, but infrastructure analysis indicates the use of IP addresses belonging to ChinaNet, as well as a Chinese-language web management panel exposed by the DCRat command-and-control (C2) server ("223.26.63[.]40"). In addition, Seqrite said it identified infrastructure and tactical overlaps with Silver Fox, a Chinese cybercrime group previously attributed to tax-themed phishing campaigns that deliver ValleyRAT.
Based on these similarities, it's suspected that the campaign is the work of a China-aligned threat actor conducted with an aim to establish covert access for intelligence collection, credential theft, and systematic data exfiltration, Seqrite concluded.
The disclosure comes as LevelBlue said it detected two distinct campaigns that employ fake installers for LINE and phishing emails with salary adjustment lures to distribute ValleyRAT targeting Chinese- and Japanese-speaking users.
The email-driven campaign begins with a malicious email containing a URL link that, when accessed by the recipient, triggers the download of a ZIP archive. The archive acts as a foundation for a DLL side-loading chain, with the DLL ultimately downloading and executing ValleyRAT, a remote access trojan that allows operators to seize control of an infected system.
The fake installer attack chain, in contrast, employs bogus installers for popular software to deliver the malware using techniques like PoolParty Variant 7, while simultaneously focusing on anti-analysis and detection evasion, per Cybereason.
Interestingly, the use of PoolParty Variant 7 to inject shellcode into "explorer.exe" has been previously observed in connection with a custom malware loader dubbed SADBRIDGE, which is designed to deploy a Golang-based reimplementation of Quasar RAT known as GOSAR. The intrusion set, which targeted Chinese-speaking regions with malicious installers for Telegram and Opera, was attributed by Elastic Security Labs to REF3864.
"While we don't have conclusive proof, these commonalities suggest they may have been created by the same threat actor," Cybereason researcher Hajime Takai noted back in February 2026.
Fake Indian Income Tax Sites Lead to RAT Malware
In a follow-up analysis published on July 7, 2026, Cyderes detailed an identical attack chain targeting Indian users that uses fake websites impersonating the Indian Income Tax Department to download a ZIP archive disguised as the common offline utility, which is then used to launch a DLL side-loading chain responsible for the deployment of two payloads -
- A Gh0st RAT derivative connecting to kkxqbh[.]top on port 6666
- A RAT belonging to the AsyncRAT malware family connecting to ouewop[.]com on port 6351
It's worth noting that DCRat is one of the several variants that originated from AsyncRAT, which, in itself, came from Quasar RAT, an open-source remote access trojan. Furthermore, the fact that one of the payloads is Gh0st RAT lends credence to the campaign's possible links to Silver Fox for two reasons: (1) early campaigns attributed to the threat actor deployed Gh0st RAT as the final payload, and (2) ValleyRAT is derived from Gh0st RAT.
"Running both implants over separate C2 channels gives the attacker redundant access with different detection profiles," Cyderes researchers Reegun Jayapaul, Baskar M, and Rahul Ramesh said. "If one implant is identified and blocked, the other remains active. Injecting across all user sessions means the malware survives user switches and reaches both the service context and interactive sessions at once."
The findings are also significant as they show that the threat actors behind the campaign are leveraging multiple initial access vectors – phishing emails and fraudulent income tax sites – to distribute malware.
"This campaign demonstrates a well-structured, multi-stage infection chain that combines social engineering, signed-binary abuse, and layered in-memory execution to deliver two independent remote access implants onto victim systems," Cyderes Howler Cell said.
"The use of a polyglot image as a shared payload container across multiple stages, session-aware injection to cover all logged-in users, and a dual-implant strategy with separated C2 channels reflect a level of operational maturity designed to maximize persistence and survivability."
(The story was updated after publication on July 8, 2026, to include additional insights from Cyderes.)







