Operation Dragonreturn China Nexus Cyber Espionage Campaign Targeting Indian Tax Infrastructure
Operation Dragonreturn: China Nexus Cyber Espionage Campaign
As part of our latest investigation, we uncovered a campaign that demonstrates operational and technical similarities to a China-nexus threat cluster. Further analysis revealed overlapping TTPs with a prominent and highly active threat actor known for conducting cyber-espionage operations against Asian countries through the deployment of RAT-based malware. The geographic focus of this campaign is India, targeting a Pan-India taxpayer base, including Corporate Companies & Businesses, Individual Taxpayers, Tax Professionals & CAs, Government Contractors, Tax Consultants & Filing Agents, and Corporate Finance & Accounts Teams. 🚀
A sophisticated and actively maintained phishing campaign has been identified targeting Indian taxpayers, tax professionals, and corporate finance teams by impersonating the Income Tax Department of the Ministry of Finance, Government of India. The campaign was first observed on May 18, 2026, and remains active as of June 17, 2026, with the latest payload variant achieving a 0/66 detection rate on VirusTotal, indicating the threat actor is actively maintaining and rotating malicious payloads to evade detection. The campaign exploits the AY2026-27 ITR filing season by cloning a legitimate government utility filename, making it exceptionally difficult for even security-aware users to distinguish the malicious file from the genuine one.
The initial email contained an attachment with an embedded URL, govtop[.]one/incometax. When a user clicks on the link, they are redirected to a webpage designed to appear legitimate and generate trust. This lure page impersonates an official Office Memorandum bearing the Government of India emblem, bilingual Hindi-English formatting, and cites real and legally significant sections of the Income Tax Act, lending significant credibility to the document. This campaign is classified as a Spear Phishing to Malware Delivery operation with APT-style characteristics, indicating a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem. The primary objective is assessed to be malware deployment for financial gain or sensitive data theft, with a threat level rated as Critical. ⚠️
Upon downloading the ZIP file, we observed that it was named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip, which closely matches the naming convention of the legitimate offline utility provided by the Income Tax Department of India. Upon execution, the malicious executable spawns multiple cmd.exe processes that leverage the Windows Service Control (sc.exe) utility to create a service named MixedSvc. The service is configured to execute C:\Program Files\Windows Media Player\Mixed Reality.exe and is set to start automatically at system boot. To evade suspicion, the threat actor assigns the service the display name Windows Mixed Reality Service and a legitimate-looking description, providing both execution and persistence for the malware payload.
The executable COU_ITR-1_to_4_AY2026-27.exe appears to be a lightweight launcher that imports and invokes functions from the accompanying DLL nvdaHelperRemote.dll, which then injects another payload into memory.
The injected payload serves as an anti-analysis and environment validation routine, performing multiple timing checks using GetTickCount64() to detect sandbox acceleration or debugger interference. The malware then downloads a file named lllyd.jpg from a hardcoded IP address and stores it as C:\Windows\background.jpg. Analysis shows that this image file is used as a container for a secondary payload, from which a 504 KB DLL is extracted and written to C:\Program Files\Windows Media Player\nvdaHelperRemote.dll. After extracting, the malware copies itself as Mixed Reality.exe and establishes persistence by creating the Windows service named MixedSvc, configured to start automatically on system boot. This confirms the sample functions as a downloader and installer, using image-based payload concealment and Windows service persistence to maintain long-term access to the infected system.
For more detailed information, please visit the full article: Read full article