Fake Indian ITR Notice Delivers Dual RAT Malware Through Six-Stage Infection Chain
A new malware campaign is using fake Indian income tax notices to push Windows users into installing two remote access trojans through a multi-stage infection chain.
The attack impersonates an Income Tax Department notice and uses official-looking language about tax violations, document submission, and penalties. Victims who follow the prompt are redirected through a fake Microsoft verification page before a malicious ZIP file is downloaded.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
According to Cyderes, the campaign ends with two independent remote access trojans running in memory. One is a Gh0st RAT derivative, while the other belongs to the Quasar or AsyncRAT family.
The lure copies Indian tax branding
The campaign starts on fraudulent websites that copy the look of Indian tax pages. Each site uses an “/incometax” path and shows a compliance notice designed to create urgency.
The fake notice claims that the target’s organization violated tax law and must submit documents within 72 hours to avoid penalties. That pressure is meant to push users into clicking the Download Documents button without checking the source.
The official Income Tax Department downloads page lists legitimate return utilities, including a Common Offline Utility for ITR 1, ITR 2, ITR 3, and ITR 4 for Assessment Year 2026-27. The fake archive name appears designed to imitate that real filing workflow.
| Campaign element | Reported detail |
|---|---|
| Lure theme | Indian income tax compliance notice |
| Target region | India |
| Fake download | Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip |
| Initial execution method | DLL sideloading |
| Persistence name | Windows Mixed Reality Service |
| Final payloads | Gh0st RAT derivative and Quasar or AsyncRAT family implant |
A fake Microsoft verification page adds trust
After the victim clicks the download button, the attack does not immediately deliver the malware. It first shows a spoofed page branded as “Microsoft Edge Secure Gateway.”
The fake page runs a staged verification flow that appears to check the browser, connection, and security status. Once the fake checks complete, the browser downloads the malicious ZIP archive.
This step helps the attackers make the download look safer. It also gives the victim the impression that a Microsoft-branded security layer approved the file.
- The victim sees a fake Indian tax notice.
- The notice warns about penalties and a 72-hour deadline.
- The Download Documents button redirects to a fake Microsoft verification page.
- The verification page shows a staged security check.
- The browser downloads a ZIP archive with a tax-utility-style name.
The ZIP abuses a signed executable and malicious DLL
The archive contains a legitimate signed executable named COU_ITR-1_to_4_AY2026-27.exe and a malicious DLL named nvdaHelperRemote.dll.
When the victim runs the executable, Windows loads the attacker’s DLL from the same folder. Microsoft’s DLL search order documentation explains that, when a full DLL path is not specified, Windows searches several locations, including the folder from which the application loaded.
Attackers abuse this behavior by placing a malicious DLL beside a trusted executable. The signed program starts normally, but the attacker’s code runs through the DLL load path.
DLL sideloading gives the malware a trusted entry point
Cyderes said the first malicious stage uses DLL search-order abuse to start the infection while hiding behind a legitimate binary.
MITRE ATT&CK tracks this under Hijack Execution Flow: DLL, a technique where adversaries abuse the way applications load dynamic-link libraries to run malicious code.
In this campaign, the malicious DLL acts as the first loader. It sets up the next stages, asks for elevated privileges, and helps install persistence under a service name that sounds like a normal Windows component.
| Stage | Reported behavior | Purpose |
|---|---|---|
| Stage 1 | Fake tax notice and ZIP download | Get the victim to run the archive contents |
| Stage 2 | Signed executable loads nvdaHelperRemote.dll | Start malicious code through DLL sideloading |
| Stage 3 | UAC prompt and service creation | Gain persistence and elevated execution |
| Stage 4 | Download background.jpg | Retrieve hidden encrypted payloads |
| Stage 5 | Reflective loading in memory | Avoid writing final payloads to disk |
| Stage 6 | Inject dual RATs into svchost.exe | Give attackers remote control through two channels |
The malware creates a fake Windows service
After the first sideloading stage, the malware escalates through a UAC prompt and creates a persistence service called MixedSvc, displayed as “Windows Mixed Reality Service.”
The name is meant to look like a legitimate Windows feature. That can reduce suspicion when administrators review services quickly.
MITRE ATT&CK’s Windows Service technique explains that attackers may create or modify services so malicious payloads run repeatedly, often with elevated privileges.
A JPEG file hides the next payloads
The next stage downloads a file named background.jpg from attacker infrastructure. It appears to be an ordinary image, but Cyderes said it contains encrypted payload data appended after the image content.
This kind of polyglot design can help the file pass simple checks that only inspect the file header or extension. A tool may see a normal image, while the loader reads the hidden data from another part of the file.
The tactic also reduces the number of obviously malicious files on disk. Instead of downloading separate executable payloads, the malware retrieves a file that looks like a harmless picture.
Reflective loading keeps later stages in memory
After retrieving the hidden payloads, later stages move away from disk activity. The malware uses reflective loading to unpack and execute code directly in memory.
This makes detection harder because the final payloads do not need to appear as normal executable files. Security tools must rely on memory behavior, process relationships, and suspicious API activity rather than file scanning alone.
The MITRE ATT&CK process injection page describes how attackers may inject code into another process to evade defenses, gain access to another process context, or run malicious code through a legitimate process.
The final payloads run inside svchost.exe
Cyderes said the chain ends by injecting two payloads into svchost.exe processes across active user sessions. That gives the attacker coverage in both service and interactive contexts.
The first implant is a Gh0st RAT derivative with screen capture capabilities that connects to its command server over port 6666.
The second implant is a Quasar or AsyncRAT family .NET payload that connects over port 6351. Running two RATs gives the attacker a backup if one command channel gets blocked or detected.
| Final implant | Reported behavior | Command channel |
|---|---|---|
| Gh0st RAT derivative | Remote control and screen capture | kkxqbh[.]top over port 6666 |
| Quasar or AsyncRAT family implant | .NET remote access payload with AMSI tampering | ouewop[.]com over port 6351 |
The .NET implant patches AMSI before loading
The second RAT reportedly patches the Antimalware Scan Interface before loading its .NET code. AMSI is a Windows security interface that lets applications and services integrate with installed antimalware products.
Microsoft’s AMSI documentation says the interface supports file, memory, and stream scanning, as well as checks for dynamic code and scripts.
That makes AMSI tampering a major red flag. If a process modifies AMSI-related behavior before starting the Common Language Runtime or loading .NET code, defenders should treat it as suspicious.
Why dual RAT deployment raises the risk
Most phishing campaigns try to establish one reliable remote access channel. This campaign installs two, which makes response harder.
If defenders block the Gh0st RAT derivative, the .NET implant may still keep the attacker connected. If the .NET implant fails, the Gh0st RAT channel can still provide control and surveillance.

MITRE tracks legitimate and malicious use of remote control tools under Remote Access Tools. In this case, the payloads are not normal admin tools, but the defensive concern is similar: the attacker gains hands-on access to the endpoint.
Why the fake ITR file name is convincing
The malicious ZIP name closely follows the style of a real tax utility. That makes it more likely to fool users during filing season or compliance-heavy periods.
The official Income Tax Department portal shows that legitimate utilities are distributed for specific assessment years and ITR forms. Attackers copied that naming logic to make the archive feel familiar.
Users should treat tax-related download links in emails, messages, or third-party websites as high risk. They should navigate directly to the official portal rather than trusting a link inside a notice.
Artifacts give defenders a way to hunt
Even though the later stages run in memory, the campaign still leaves useful artifacts. These include the malicious service name, lock files, hidden debug logs, named global events, and suspicious process injection into svchost.exe.

Security teams should also monitor signed executables loading unsigned DLLs from the same extraction folder. The Microsoft DLL search order guidance explains why applications that do not use full DLL paths can become exposed to this type of abuse.
The MITRE DLL hijacking mapping gives defenders a useful way to classify the first execution stage and connect it with later persistence and injection activity.
- Inspect tax-themed ZIP files downloaded from non-government domains.
- Alert on signed binaries loading unsigned DLLs from user-controlled directories.
- Monitor creation of services named MixedSvc or “Windows Mixed Reality Service” from unexpected paths.
- Look for background.jpg downloads from suspicious IP addresses.
- Hunt for AMSI tampering before .NET payload loading.
- Investigate unexpected process injection into svchost.exe.
- Check for C2 connections to ports 6666 and 6351.
Indicators of compromise
Cyderes shared the following indicators for defenders. These should support hunting, but teams should also use behavior-based detection because attackers can change domains, files, and hashes quickly.
| Type | Indicator | Description |
|---|---|---|
| File name | Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip | Initial malicious archive delivered through the fake tax portal |
| File name | COU_ITR-1_to_4_AY2026-27.exe | Legitimate signed binary abused as the sideload launcher |
| File name | nvdaHelperRemote.dll | Malicious DLL loaded through DLL search-order abuse |
| File name | Mixed Reality.exe | Copied host binary used to sideload the staged DLL |
| File name | background.jpg | Polyglot payload container hiding encrypted stages |
| File name | c:\debug.txt | Hidden debug log written by the injector |
| File name | c:\kkooPPP | Gh0st RAT derivative lock file |
| File name | c:\ouewo | AsyncRAT loader lock file |
| File name | c:\kkqqexit | Kill file used as a shutdown signal |
| Domain | import[.]mom | Lure hosting domain using the /incometax path |
| Domain | tqkat[.]rest | Lure hosting domain using the /incometax path |
| Domain | generate[.]lat | Lure hosting domain using the /incometax path |
| Domain | meoou[.]rest | Lure hosting domain using the /incometax path |
| Domain | kattp[.]homes | Lure hosting domain using the /incometax path |
| IP address | 118[.]107[.]0[.]197 | Polyglot payload hosting server |
| URL | hxxp[:]//118[.]107[.]0[.]197/ouewo[.]jpg | Polyglot payload download URL |
| Domain | kkxqbh[.]top | Gh0st RAT derivative C2 on port 6666 |
| Domain | ouewop[.]com | AsyncRAT family C2 on port 6351 |
| Service name | MixedSvc / “Windows Mixed Reality Service” | Malicious persistence service |
| Named event | Global\kkctsbnn | Single-instance guard event |
| Named event | Global\ShitSetupOn26126k | Setup-phase guard event |
| Mutex | 5sGEm6Q4eTNv | AsyncRAT mutex |
Detection should focus on the full chain
The campaign uses several defensive evasion layers, so a single blocked file may not reveal the full intrusion. Teams should connect the fake notice, signed-binary sideloading, service creation, image-based payload retrieval, AMSI tampering, and svchost.exe injection into one investigation path.
The Microsoft AMSI overview confirms that AMSI helps antimalware products inspect memory and dynamic content. Attempts to disable or patch that inspection before .NET execution deserve immediate attention.

Defenders should also map memory-stage behavior to process injection, because the final RATs reportedly run inside svchost.exe rather than as obvious standalone processes.
How organizations can reduce risk
Organizations should warn employees about fake tax notices, especially during filing periods. A notice that asks users to download a ZIP file from an unfamiliar domain should be treated as suspicious.
IT teams should restrict execution from archive extraction folders, monitor new service creation, and require additional review for signed binaries that load unsigned DLLs.
The MITRE Windows Service technique and Remote Access Tools technique both fit this campaign’s later stages and can help detection teams build practical rules around persistence and remote control.
FAQ
It is a Windows malware campaign that impersonates an Indian income tax notice and delivers a ZIP archive that starts a six-stage infection chain ending with two remote access trojans.
The campaign uses a ZIP archive named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip. It contains a legitimate signed executable and a malicious DLL named nvdaHelperRemote.dll.
The victim runs a signed executable from the archive, and Windows loads the attacker’s malicious DLL from the same folder. This gives the malware a trusted execution path through DLL search-order abuse.
Cyderes reported two final implants: a Gh0st RAT derivative using port 6666 and a Quasar or AsyncRAT family .NET implant using port 6351.
Organizations should monitor fake tax-themed downloads, signed binaries loading unsigned DLLs, suspicious service creation, background.jpg payload retrieval, AMSI tampering, and process injection into svchost.exe.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages