- A suspected China-nexus cyber campaign named Operation DragonReturn is targeting Indian taxpayers and financial professionals with sophisticated phishing emails.
- The attack uses fake tax department documents to deploy a multi-stage malware, including the DCRat remote access trojan, designed for data theft and long-term system access.
- Infrastructure analysis and tactical overlaps link the campaign to ChinaNet and the known Chinese cybercrime group Silver Fox.
- Separately, two other campaigns are distributing the ValleyRAT malware via fake software installers and phishing emails targeting Chinese- and Japanese-speaking users.
A suspected China-aligned cyber espionage campaign, first observed on May 18, 2026, is precisely targeting Indian taxpayers and corporate finance teams during the tax filing season. Dubbed Operation DragonReturn by Seqrite Labs, the operation uses spear-phishing emails impersonating India’s Income Tax Department to deliver a remote access trojan.
The sophisticated attack begins with a malicious link embedded in a PDF, leading to a bogus tax department landing page. Consequently, users are tricked into downloading a malicious ZIP archive that sideloads a payload, establishing persistence as a Windows service named MixedSvc. Researchers noted the campaign is “not opportunistic – the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem,” as detailed in their report.
The final payload includes a .NET loader that disables security scans and deploys DCRat, while a second module exfiltrates data to a remote server. However, the campaign’s infrastructure, including IPs from ChinaNet and a Chinese-language server panel, strongly suggests a China-nexus threat actor. Meanwhile, security firm LevelBlue said it detected separate campaigns spreading ValleyRAT using fake installers and phishing emails.
These parallel attacks employ techniques like PoolParty Variant 7 for injection, which has been previously linked to the SADBRIDGE loader described by Elastic Security Labs. Furthermore, Cybereason researcher Hajime Takai noted the commonalities suggest these campaigns may originate from the same threat actor group.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
