← All stories
● Covered by 1 source · 1 reportHigh impact

Chinese Hackers Target India’s Taxpayers with DcRAT via Phishing Scheme

Aggregated by BrevFeed security · updated 1h ago
🔖 Save

A suspected group of Chinese hackers has launched Operation DragonReturn, targeting Indian taxpayers with sophisticated phishing emails disguised as communications from the Income Tax Department. The campaign utilizes fake tax filing utilities to deploy a remote access trojan (DcRAT), aimed at stealing sensitive financial data.

Key points

Overview of the Attack Campaign

Operation DragonReturn has been identified by Seqrite Labs as a sophisticated threat targeting Indian taxpayers and corporate finance teams. Initiated on May 18, 2026, the campaign uses spear-phishing emails that impersonate the Income Tax Department, linking directly to the annual income tax filing period in India.

Phishing Techniques Used

Attackers send phishing emails, creating urgency through messages about tax violations and penalties. These email links direct users to a fraudulent landing page, where they are prompted to download a ZIP file posing as a legitimate offline utility for tax filing.

Malware Deployment Process

Upon execution, the fake utility side-loads a malicious DLL ('nvdaHelperRemote.dll') that injects additional payloads into memory and seeks to run with administrative privileges. If it detects insufficient permissions, it triggers a User Account Control (UAC) prompt for elevation.

Persistence Mechanisms

The malware extracts an image from a remote server, which acts as a container for a secondary payload. This payload installs itself as 'Mixed Reality.exe' and creates a Windows service, 'MixedSvc,' enabling it to maintain persistence on the victim's system across reboots.

Significance of the Threat

The precision of the phishing strategy, including legal citations and bilingual content, underscores the resources behind this operation. The campaign's exclusive focus on India's taxpayer system reveals a targeted approach to financial gain through sensitive data theft.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors — check the original sources. How BrevFeed works →

Primary sources

CVE CVE-2026-552008.1 HIGH CVE CVE-2026-468179.8 CRITICAL

Reporting from

A suspected group of Chinese hackers has launched Operation DragonReturn, targeting Indian taxpayers with sophisticated phishing emails disguised as communications from the Income Tax Department. The campaign utilizes fake tax filing utilities to deploy a remote access trojan (DcRAT), aimed at stealing sensitive financial data.