Mixed Reality.exe loader deploys DCRat with persistence and AMSI evasion
Malware Activity
Summary
Hide ▲
Show ▼
The Mixed Reality.exe stage is deploying DCRat on infected Windows hosts, giving operators durable remote access and data-theft capability. The loader adds persistence, performs anti-analysis checks, and disables Windows AMSI scanning before unpacking the RAT. That combination increases the chance the implant survives detection and remains available for follow-on abuse.
Timeline
-
06.07.2026 13:58 1 articles · 3d ago
Mixed Reality.exe loader deploys DCRat with persistence and AMSI evasion
Technical Analysis UpdateSeqrite Labs describes Operation DragonReturn as a spear-phishing campaign impersonating the Income Tax Department of India and targeting Indian taxpayers, tax professionals, and corporate finance teams. The loader chain extracts `nvdaHelperRemote.dll`, copies itself as `Mixed Reality.exe`, creates the `MixedSvc` Windows service, disables Windows AMSI scanning, and loads DCRat onto Windows hosts.
Show sources
- Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT — thehackernews.com — 06.07.2026 13:58