Operation DragonReturn tax-phishing campaign targeting Indian taxpayers
Campaign
Summary
Hide ▲
Show ▼
The Operation DragonReturn campaign is using spear-phishing and fake tax-filing lures to push remote access trojans into Indian taxpayer and finance environments, creating a direct path to credential theft and covert access. The operation is timed to the 2026 income tax filing season and uses impersonation of the Income Tax Department of India to pressure recipients into opening malicious content. The multi-stage delivery chain increases the chance that a single phishing click can lead to persistent access and data exfiltration.
Timeline
-
08.07.2026 03:00 1 articles · 1d ago
Cyderes details fake Income Tax sites and dual RAT delivery in Operation DragonReturn
Technical Analysis UpdateUpdated reporting on July 8, 2026 added Cyderes findings that Operation DragonReturn also uses fake websites impersonating the Indian Income Tax Department to deliver ZIP archives disguised as the common offline utility. The same chain deploys two implants, including a Gh0st RAT derivative that connects to kkxqbh[.]top on port 6666 and an AsyncRAT-family RAT that connects to ouewop[.]com on port 6351, while separate C2 channels, session-wide injection, and multiple initial access vectors improve persistence and resilience.
Show sources
- Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT — thehackernews.com — 06.07.2026 13:58
-
06.07.2026 13:58 1 articles · 3d ago
Operation DragonReturn first targets Indian taxpayers with tax-filing spear-phishing
Exploitation ObservedSeqrite Labs first observed Operation DragonReturn on May 18, 2026 as a spear-phishing campaign impersonating the Income Tax Department of India to target Indian taxpayers, tax professionals, and corporate finance teams. The lure emails use tax-violation and penalty pressure to push victims toward a malicious link at govtop[.]one/incometax and a staged ZIP-based delivery chain that sideloads nvdaHelperRemote.dll, drops Mixed Reality.exe, and establishes the MixedSvc Windows service for persistence.
Show sources
- Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT — thehackernews.com — 06.07.2026 13:58