Find notable cyber news and cases, enriched with sources, timelines, and signals.

Operation DragonReturn tax-phishing campaign targeting Indian taxpayers

Campaign
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

The Operation DragonReturn campaign is using spear-phishing and fake tax-filing lures to push remote access trojans into Indian taxpayer and finance environments, creating a direct path to credential theft and covert access. The operation is timed to the 2026 income tax filing season and uses impersonation of the Income Tax Department of India to pressure recipients into opening malicious content. The multi-stage delivery chain increases the chance that a single phishing click can lead to persistent access and data exfiltration.

Timeline

  1. 08.07.2026 03:00 1 articles · 1d ago

    Cyderes details fake Income Tax sites and dual RAT delivery in Operation DragonReturn

    Technical Analysis Update

    Updated reporting on July 8, 2026 added Cyderes findings that Operation DragonReturn also uses fake websites impersonating the Indian Income Tax Department to deliver ZIP archives disguised as the common offline utility. The same chain deploys two implants, including a Gh0st RAT derivative that connects to kkxqbh[.]top on port 6666 and an AsyncRAT-family RAT that connects to ouewop[.]com on port 6351, while separate C2 channels, session-wide injection, and multiple initial access vectors improve persistence and resilience.

    Show sources
  2. 06.07.2026 13:58 1 articles · 3d ago

    Operation DragonReturn first targets Indian taxpayers with tax-filing spear-phishing

    Exploitation Observed

    Seqrite Labs first observed Operation DragonReturn on May 18, 2026 as a spear-phishing campaign impersonating the Income Tax Department of India to target Indian taxpayers, tax professionals, and corporate finance teams. The lure emails use tax-violation and penalty pressure to push victims toward a malicious link at govtop[.]one/incometax and a staged ZIP-based delivery chain that sideloads nvdaHelperRemote.dll, drops Mixed Reality.exe, and establishes the MixedSvc Windows service for persistence.

    Show sources