Fake Indian ITR Notice Delivers Dual RAT Malware Through Six-Stage Infection Chain


A new malware campaign is using fake Indian income tax notices to push Windows users into installing two remote access trojans through a multi-stage infection chain.

The attack impersonates an Income Tax Department notice and uses official-looking language about tax violations, document submission, and penalties. Victims who follow the prompt are redirected through a fake Microsoft verification page before a malicious ZIP file is downloaded.

According to Cyderes, the campaign ends with two independent remote access trojans running in memory. One is a Gh0st RAT derivative, while the other belongs to the Quasar or AsyncRAT family.

The lure copies Indian tax branding

The campaign starts on fraudulent websites that copy the look of Indian tax pages. Each site uses an “/incometax” path and shows a compliance notice designed to create urgency.

The fake notice claims that the target’s organization violated tax law and must submit documents within 72 hours to avoid penalties. That pressure is meant to push users into clicking the Download Documents button without checking the source.

The official Income Tax Department downloads page lists legitimate return utilities, including a Common Offline Utility for ITR 1, ITR 2, ITR 3, and ITR 4 for Assessment Year 2026-27. The fake archive name appears designed to imitate that real filing workflow.

Campaign elementReported detail
Lure themeIndian income tax compliance notice
Target regionIndia
Fake downloadCommon_Offline_Utility_ITR-1_to_4_AY2026-27.zip
Initial execution methodDLL sideloading
Persistence nameWindows Mixed Reality Service
Final payloadsGh0st RAT derivative and Quasar or AsyncRAT family implant

A fake Microsoft verification page adds trust

After the victim clicks the download button, the attack does not immediately deliver the malware. It first shows a spoofed page branded as “Microsoft Edge Secure Gateway.”

The fake page runs a staged verification flow that appears to check the browser, connection, and security status. Once the fake checks complete, the browser downloads the malicious ZIP archive.

This step helps the attackers make the download look safer. It also gives the victim the impression that a Microsoft-branded security layer approved the file.

  • The victim sees a fake Indian tax notice.
  • The notice warns about penalties and a 72-hour deadline.
  • The Download Documents button redirects to a fake Microsoft verification page.
  • The verification page shows a staged security check.
  • The browser downloads a ZIP archive with a tax-utility-style name.

The ZIP abuses a signed executable and malicious DLL

The archive contains a legitimate signed executable named COU_ITR-1_to_4_AY2026-27.exe and a malicious DLL named nvdaHelperRemote.dll.

When the victim runs the executable, Windows loads the attacker’s DLL from the same folder. Microsoft’s DLL search order documentation explains that, when a full DLL path is not specified, Windows searches several locations, including the folder from which the application loaded.

Attackers abuse this behavior by placing a malicious DLL beside a trusted executable. The signed program starts normally, but the attacker’s code runs through the DLL load path.

DLL sideloading gives the malware a trusted entry point

Cyderes said the first malicious stage uses DLL search-order abuse to start the infection while hiding behind a legitimate binary.

MITRE ATT&CK tracks this under Hijack Execution Flow: DLL, a technique where adversaries abuse the way applications load dynamic-link libraries to run malicious code.

In this campaign, the malicious DLL acts as the first loader. It sets up the next stages, asks for elevated privileges, and helps install persistence under a service name that sounds like a normal Windows component.

StageReported behaviorPurpose
Stage 1Fake tax notice and ZIP downloadGet the victim to run the archive contents
Stage 2Signed executable loads nvdaHelperRemote.dllStart malicious code through DLL sideloading
Stage 3UAC prompt and service creationGain persistence and elevated execution
Stage 4Download background.jpgRetrieve hidden encrypted payloads
Stage 5Reflective loading in memoryAvoid writing final payloads to disk
Stage 6Inject dual RATs into svchost.exeGive attackers remote control through two channels

The malware creates a fake Windows service

After the first sideloading stage, the malware escalates through a UAC prompt and creates a persistence service called MixedSvc, displayed as “Windows Mixed Reality Service.”

The name is meant to look like a legitimate Windows feature. That can reduce suspicion when administrators review services quickly.

MITRE ATT&CK’s Windows Service technique explains that attackers may create or modify services so malicious payloads run repeatedly, often with elevated privileges.

A JPEG file hides the next payloads

The next stage downloads a file named background.jpg from attacker infrastructure. It appears to be an ordinary image, but Cyderes said it contains encrypted payload data appended after the image content.

This kind of polyglot design can help the file pass simple checks that only inspect the file header or extension. A tool may see a normal image, while the loader reads the hidden data from another part of the file.

The tactic also reduces the number of obviously malicious files on disk. Instead of downloading separate executable payloads, the malware retrieves a file that looks like a harmless picture.

Reflective loading keeps later stages in memory

After retrieving the hidden payloads, later stages move away from disk activity. The malware uses reflective loading to unpack and execute code directly in memory.

This makes detection harder because the final payloads do not need to appear as normal executable files. Security tools must rely on memory behavior, process relationships, and suspicious API activity rather than file scanning alone.

The MITRE ATT&CK process injection page describes how attackers may inject code into another process to evade defenses, gain access to another process context, or run malicious code through a legitimate process.

The final payloads run inside svchost.exe

Cyderes said the chain ends by injecting two payloads into svchost.exe processes across active user sessions. That gives the attacker coverage in both service and interactive contexts.

The first implant is a Gh0st RAT derivative with screen capture capabilities that connects to its command server over port 6666.

The second implant is a Quasar or AsyncRAT family .NET payload that connects over port 6351. Running two RATs gives the attacker a backup if one command channel gets blocked or detected.

Final implantReported behaviorCommand channel
Gh0st RAT derivativeRemote control and screen capturekkxqbh[.]top over port 6666
Quasar or AsyncRAT family implant.NET remote access payload with AMSI tamperingouewop[.]com over port 6351

The .NET implant patches AMSI before loading

The second RAT reportedly patches the Antimalware Scan Interface before loading its .NET code. AMSI is a Windows security interface that lets applications and services integrate with installed antimalware products.

Microsoft’s AMSI documentation says the interface supports file, memory, and stream scanning, as well as checks for dynamic code and scripts.

That makes AMSI tampering a major red flag. If a process modifies AMSI-related behavior before starting the Common Language Runtime or loading .NET code, defenders should treat it as suspicious.

Why dual RAT deployment raises the risk

Most phishing campaigns try to establish one reliable remote access channel. This campaign installs two, which makes response harder.

If defenders block the Gh0st RAT derivative, the .NET implant may still keep the attacker connected. If the .NET implant fails, the Gh0st RAT channel can still provide control and surveillance.

Income Tax notice lure (Source – Cyderes)

MITRE tracks legitimate and malicious use of remote control tools under Remote Access Tools. In this case, the payloads are not normal admin tools, but the defensive concern is similar: the attacker gains hands-on access to the endpoint.

Why the fake ITR file name is convincing

The malicious ZIP name closely follows the style of a real tax utility. That makes it more likely to fool users during filing season or compliance-heavy periods.

The official Income Tax Department portal shows that legitimate utilities are distributed for specific assessment years and ITR forms. Attackers copied that naming logic to make the archive feel familiar.

Users should treat tax-related download links in emails, messages, or third-party websites as high risk. They should navigate directly to the official portal rather than trusting a link inside a notice.

Artifacts give defenders a way to hunt

Even though the later stages run in memory, the campaign still leaves useful artifacts. These include the malicious service name, lock files, hidden debug logs, named global events, and suspicious process injection into svchost.exe.

Fake Microsoft verification page (Source – Cyderes)

Security teams should also monitor signed executables loading unsigned DLLs from the same extraction folder. The Microsoft DLL search order guidance explains why applications that do not use full DLL paths can become exposed to this type of abuse.

The MITRE DLL hijacking mapping gives defenders a useful way to classify the first execution stage and connect it with later persistence and injection activity.

  1. Inspect tax-themed ZIP files downloaded from non-government domains.
  2. Alert on signed binaries loading unsigned DLLs from user-controlled directories.
  3. Monitor creation of services named MixedSvc or “Windows Mixed Reality Service” from unexpected paths.
  4. Look for background.jpg downloads from suspicious IP addresses.
  5. Hunt for AMSI tampering before .NET payload loading.
  6. Investigate unexpected process injection into svchost.exe.
  7. Check for C2 connections to ports 6666 and 6351.

Indicators of compromise

Cyderes shared the following indicators for defenders. These should support hunting, but teams should also use behavior-based detection because attackers can change domains, files, and hashes quickly.

TypeIndicatorDescription
File nameCommon_Offline_Utility_ITR-1_to_4_AY2026-27.zipInitial malicious archive delivered through the fake tax portal
File nameCOU_ITR-1_to_4_AY2026-27.exeLegitimate signed binary abused as the sideload launcher
File namenvdaHelperRemote.dllMalicious DLL loaded through DLL search-order abuse
File nameMixed Reality.exeCopied host binary used to sideload the staged DLL
File namebackground.jpgPolyglot payload container hiding encrypted stages
File namec:\debug.txtHidden debug log written by the injector
File namec:\kkooPPPGh0st RAT derivative lock file
File namec:\ouewoAsyncRAT loader lock file
File namec:\kkqqexitKill file used as a shutdown signal
Domainimport[.]momLure hosting domain using the /incometax path
Domaintqkat[.]restLure hosting domain using the /incometax path
Domaingenerate[.]latLure hosting domain using the /incometax path
Domainmeoou[.]restLure hosting domain using the /incometax path
Domainkattp[.]homesLure hosting domain using the /incometax path
IP address118[.]107[.]0[.]197Polyglot payload hosting server
URLhxxp[:]//118[.]107[.]0[.]197/ouewo[.]jpgPolyglot payload download URL
Domainkkxqbh[.]topGh0st RAT derivative C2 on port 6666
Domainouewop[.]comAsyncRAT family C2 on port 6351
Service nameMixedSvc / “Windows Mixed Reality Service”Malicious persistence service
Named eventGlobal\kkctsbnnSingle-instance guard event
Named eventGlobal\ShitSetupOn26126kSetup-phase guard event
Mutex5sGEm6Q4eTNvAsyncRAT mutex

Detection should focus on the full chain

The campaign uses several defensive evasion layers, so a single blocked file may not reveal the full intrusion. Teams should connect the fake notice, signed-binary sideloading, service creation, image-based payload retrieval, AMSI tampering, and svchost.exe injection into one investigation path.

The Microsoft AMSI overview confirms that AMSI helps antimalware products inspect memory and dynamic content. Attempts to disable or patch that inspection before .NET execution deserve immediate attention.

AMSI patching (Source – Cyderes)

Defenders should also map memory-stage behavior to process injection, because the final RATs reportedly run inside svchost.exe rather than as obvious standalone processes.

How organizations can reduce risk

Organizations should warn employees about fake tax notices, especially during filing periods. A notice that asks users to download a ZIP file from an unfamiliar domain should be treated as suspicious.

IT teams should restrict execution from archive extraction folders, monitor new service creation, and require additional review for signed binaries that load unsigned DLLs.

The MITRE Windows Service technique and Remote Access Tools technique both fit this campaign’s later stages and can help detection teams build practical rules around persistence and remote control.

FAQ

What is the fake Indian ITR notice malware campaign?

It is a Windows malware campaign that impersonates an Indian income tax notice and delivers a ZIP archive that starts a six-stage infection chain ending with two remote access trojans.

What file starts the infection chain?

The campaign uses a ZIP archive named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip. It contains a legitimate signed executable and a malicious DLL named nvdaHelperRemote.dll.

How does the malware abuse DLL sideloading?

The victim runs a signed executable from the archive, and Windows loads the attacker’s malicious DLL from the same folder. This gives the malware a trusted execution path through DLL search-order abuse.

Which RATs are deployed at the end of the attack?

Cyderes reported two final implants: a Gh0st RAT derivative using port 6666 and a Quasar or AsyncRAT family .NET implant using port 6351.

How can organizations detect this campaign?

Organizations should monitor fake tax-themed downloads, signed binaries loading unsigned DLLs, suspicious service creation, background.jpg payload retrieval, AMSI tampering, and process injection into svchost.exe.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages