Indian Income Tax-Themed Phishing Campaign Targets Local Businesses

This report analyzes a targeted phishing campaign impersonating the Indian Income Tax Department that uses an image-based email and a malicious PDF linking to a fake compliance portal which forces download of an NSIS-packed installer; the multi-stage payload chain unpacks signed installers, installs monitoring/control binaries (including kernel drivers and Outlook add-ins), registers NSecRTS.exe as a persistent Windows service, harvests system data, and communicates with multiple C2 servers (listed IPs and domain) — the report provides IOCs (file hashes, domain, IPs), MITRE ATT&CK mappings, and indicators of a China-linked build environment.