Blackmoon Malware Deployed in Indian Tax Phishing Campaign

First reported

26.01.2026 19:01

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A sophisticated cyber espionage campaign is targeting Indian users with phishing emails impersonating the Income Tax Department. The campaign deploys Blackmoon malware and repurposes a legitimate enterprise tool, SyncFuture TSM, to gain persistent access to victims' machines. The attackers use multiple techniques to evade detection, including DLL sideloading, UAC bypass, and antivirus evasion. The campaign has not been attributed to any known threat actor.

Timeline

26.01.2026 19:01 1 articles · 23h ago

Blackmoon Malware Deployed in Indian Tax Phishing Campaign
A sophisticated cyber espionage campaign is targeting Indian users with phishing emails impersonating the Income Tax Department. The campaign deploys Blackmoon malware and repurposes a legitimate enterprise tool, SyncFuture TSM, to gain persistent access to victims' machines. The attackers use multiple techniques to evade detection, including DLL sideloading, UAC bypass, and antivirus evasion.
Show sources

Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01
Open in new tab

Information Snippets

The campaign uses phishing emails impersonating the Income Tax Department of India to deliver a malicious archive.
First reported: 26.01.2026 19:01

1 source, 1 article
Show sources
- Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01
The malicious archive contains a DLL that implements checks to detect debuggers and contacts an external server for the next-stage payload.
First reported: 26.01.2026 19:01

1 source, 1 article
Show sources
- Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01
The shellcode uses a COM-based technique to bypass UAC and masquerades as 'explorer.exe' to avoid detection.
First reported: 26.01.2026 19:01

1 source, 1 article
Show sources
- Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01
The malware detects Avast Free Antivirus and uses automated mouse simulation to add malicious files to its exclusion list.
First reported: 26.01.2026 19:01

1 source, 1 article
Show sources
- Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01
The campaign deploys SyncFuture TSM, a legitimate enterprise tool, to remotely control infected endpoints and exfiltrate data.
First reported: 26.01.2026 19:01

1 source, 1 article
Show sources
- Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01
The attackers use batch scripts to create custom directories, modify ACLs, and perform cleanup operations.
First reported: 26.01.2026 19:01

1 source, 1 article
Show sources
- Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01
The campaign has not been attributed to any known threat actor or group.
First reported: 26.01.2026 19:01

1 source, 1 article
Show sources
- Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware — thehackernews.com — 26.01.2026 19:01