China-Linked Hackers Use Fake Indian Tax Tool to Deploy DcRAT
Cybersecurity researchers have uncovered a suspected China-linked phishing campaign targeting Indian taxpayers, tax professionals, and finance teams with DcRAT malware. Timed with India's tax filing season, attackers are sending fake Income Tax Department emails that direct victims to a fraudulent website offering a malicious version of the tax filing utility.


After the fake software is installed, the malware uses DLL sideloading and multiple anti-analysis techniques to evade detection. It gains persistence, disables security protections, and deploys DcRAT to steal credentials, capture screenshots, and exfiltrate sensitive data from infected systems.
Researchers believe the campaign shares infrastructure and tactics with known China-based threat groups, indicating a coordinated cyber espionage effort. Organizations and individuals are advised to download tax software only from official government sources and remain cautious of tax-related phishing emails during the filing season.
NPAV Endpoint Security, help detect fileless malware, block malicious scripts, and protect users from credential-stealing attacks delivered through fake software downloads.