Fake Indian ITR Notice Delivers Dual RAT Malware Through Six-Stage Infection Chain

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A new malware campaign is using fake Indian tax notices to trick users into installing not one, but two separate remote access trojans on their computers.

The attack disguises itself as an official Income Tax Department communication, playing on the fear of penalties to push victims toward a malicious download.

Once triggered, the infection unfolds across six carefully engineered stages that end with two independent RATs running quietly in memory.

Each implant connects to its own command server, giving the attacker a built-in backup if one connection gets blocked or detected. The design shows a level of planning that goes well beyond a typical phishing scam.

Security researchers first flagged the operation as it targeted users across India with government-themed lures.

Analysts from Cyderes said in a report shared with Cyber Security News (CSN) that they identified the campaign and traced its full technical chain, from the initial fake notice down to the final payloads running inside legitimate system processes.

The attackers built their lure using authentic looking government branding, including references to the Ministry of Finance and the Enforcement Division, to make the fake notice feel credible.

Victims who click through are pushed toward a spoofed Microsoft verification page before the actual malware ever appears. That extra layer of trust building is part of what makes the campaign effective against everyday users.

Fake Indian ITR Notice Delivers Dual RAT Malware

The infection begins on fraudulent websites that copy the look of the Indian Income Tax Department, each using an “/incometax” path and a fabricated compliance notice.

Income Tax notice lure (Source – Cyderes)

The message claims the recipient’s organization has violated tax law and must submit documents within 72 hours to avoid penalties. Clicking “Download Documents” redirects victims to a page branded as “Microsoft Edge Secure Gateway” that runs a fake series of security checks.

Fake Microsoft verification page (Source – Cyderes)

Once every check appears to pass, the browser downloads a ZIP archive named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip.

Inside are a legitimate signed executable and a malicious DLL named nvdaHelperRemote.dll, packaged together to exploit Windows DLL search order abuse.

When the executable runs, it unknowingly loads the attacker’s DLL instead of a genuine one, giving the malware a trusted entry point onto the system.

Six Stages to Dual aRAT Deployment

From that first sideload, the chain moves through privilege escalation using a UAC prompt, then installs a persistence service disguised as “Windows Mixed Reality Service”.

The malware then fetches a file from its infrastructure that looks like an ordinary JPEG image but actually hides multiple encrypted payloads appended after the picture data.

This polyglot trick lets the file pass casual inspection and basic content filters that only check the header.

Later stages abandon disk activity almost entirely, using reflective loading to unpack code directly in memory.

The chain finishes by injecting two payloads into svchost.exe processes across every active user session, so the malware survives user switches and keeps a foothold in both service and interactive contexts.

The two final implants are a Gh0st RAT derivative with screen capture abilities connecting over port 6666, and a Quasar or AsyncRAT family .NET implant that patches the Antimalware Scan Interface before loading, connecting over port 6351.

AMSI patching (Source – Cyderes)

Running both over separate command channels means blocking one does not end the intrusion.

The same host artifacts used for detection, including the staged service, hidden lock files, and named global events, also give response teams a fast path to scope and contain a confirmed compromise.

The recommended detection approach includes watching for signed binaries loading unsigned DLLs, unusual service creation pointing to unexpected paths, AMSI tampering ahead of CLR initialization, and process injection targeting svchost.exe from unexpected sources.

Since in-memory execution and signed binary abuse let an infected endpoint stay quiet while an operator retains full control, layered defenses and proactive hunting for these specific artifacts matter more than relying on a single detection to catch the activity before it escalates.

Indicators of Compromise (IoCs):-

Type Indicator Description
File Name Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip Initial malicious archive delivered via fake tax portal
File Name COU_ITR-1_to_4_AY2026-27.exe Legitimate signed binary abused as sideload launcher
File Name nvdaHelperRemote.dll Malicious DLL sideloaded via DLL search-order hijack
File Name Mixed Reality.exe Copied host binary used to sideload staged DLL
File Name background.jpg Polyglot payload container hiding encrypted stages
File Name c:debug.txt Hidden debug log written by injector
File Name c:kkooPPP Lock file, Gh0st RAT derivative single-instance guard
File Name c:ouewo Lock file, AsyncRAT loader single-instance guard
File Name c:kkqqexit Kill file used as shutdown signal
Domain import[.]mom Lure hosting domain (path /incometax)
Domain tqkat[.]rest Lure hosting domain (path /incometax)
Domain generate[.]lat Lure hosting domain (path /incometax)
Domain meoou[.]rest Lure hosting domain (path /incometax)
Domain kattp[.]homes Lure hosting domain (path /incometax)
IP Address 118[.]107[.]0[.]197 Polyglot payload hosting server
URL hxxp[:]//118[.]107[.]0[.]197/ouewo[.]jpg Polyglot payload download URL
Domain kkxqbh[.]top Gh0st RAT derivative C2 (port 6666)
Domain ouewop[.]com AsyncRAT family C2 (port 6351)
Service Name MixedSvc / “Windows Mixed Reality Service” Malicious persistence service
Named Event Globalkkctsbnn Single-instance guard event
Named Event GlobalShitSetupOn26126k Setup-phase guard event
Mutex 5sGEm6Q4eTNv AsyncRAT mutex

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.