Suspected Chinese-linked threat actors are targeting Indian taxpayers and financial professionals using fraudulent tax filing software to deliver DcRAT, a remote access trojan capable of stealing sensitive data from infected systems.
Security researchers at Seqrite Labs named the campaign Operation DragonReturn. The attack chain begins with spear-phishing emails impersonating India's Income Tax Department, a trusted government entity. Recipients receive a fake tax filing utility disguised as legitimate government software. Installation of this malware delivers DcRAT, which grants attackers remote access to victim machines and enables data exfiltration of financial records, credentials, and other sensitive information.
The targeting scope is narrow but high-value. The threat actors focus specifically on Indian taxpayers, tax professionals, and corporate finance teams. These groups handle confidential financial documents, tax returns, banking details, and corporate accounting data, making them attractive targets for espionage and fraud operations.
DcRAT functions as a sophisticated remote access trojan with capabilities including keystroke logging, screen capture, file theft, and system reconnaissance. Once deployed, attackers can monitor victim activity in real time, harvest credentials, and establish persistence on compromised networks.
The campaign's use of government impersonation combined with industry-specific targeting demonstrates operational sophistication. Threat actors leveraged domain expertise about Indian tax filing processes to craft convincing phishing messages and functional decoy applications. This approach generates higher click-through rates and installation success compared to mass-market phishing campaigns.
Organizations and individuals should treat unsolicited emails requesting software installation or claiming urgent tax-related action with skepticism. Legitimate government agencies do not distribute software via email attachments or external links. Verify communication directly through official government websites and phone numbers. Endpoint detection and response solutions should flag DcRAT signatures and command-and-control communications. System administrators should maintain updated patch levels and enforce application wh
