logo

Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

ID: 9f475873-4ff3-5283-a3d6-9be59732350e

STIX ID: report--9f475873-4ff3-5283-a3d6-9be59732350e

Feed Name: The Hacker News

Threat Score
75/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

Author: [email protected] (The Hacker News)

...
...

Seqrite Labs observed 'Operation DragonReturn', a suspected China-linked, tax-themed spear-phishing campaign targeting Indian taxpayers, tax professionals, and corporate finance teams during filing season to deploy remote access trojans. The chain uses PDF lures linking to a fake landing page, ZIP archives, DLL sideloading (nvdaHelperRemote.dll), image-based payload concealment (lllyd.jpg → background.jpg), UAC elevation prompts, AMSI disabling, and persistence via a Windows service (MixedSvc). Payloads include a .NET loader that decrypts and loads DCRat and a secondary component that screenshots and exfiltrates data; infrastructure and tactics overlap with known groups (Silver Fox, ValleyRAT activity) and C2 hosts tied to ChinaNet IPs.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.