Watch out — that income tax form could actually be dangerous malware

• Fake tax notices are becoming delivery vehicles for sophisticated remote access malware
• Attackers hide malicious code behind convincing government branding and legal references
• The malware quietly establishes encrypted communication with servers outside the country

A new phishing campaign is using fake income tax assessment notices to deliver dangerous malware to unsuspecting victims across India.

Researchers at CYFIRMA identified the operation, which relies on a fraudulent website built to resemble official communication from the Indian Income Tax Department closely.

The fake portal, hosted on a recently registered domain, presents a convincing assessment order complete with legal references, financial penalties, and urgent compliance language designed to pressure recipients into acting quickly.

How the infection unfolds

Victims who interact with the fake notice are prompted to download a ZIP archive disguised as official assessment documentation and supporting calculations.

Once extracted, that archive reveals a disk image file functioning as a container for the actual malicious payload.

Inside sits a loader program that quietly triggers a second component, a DLL file disguised to resemble a legitimate Windows service.

Researchers found that this loader uses reflection-based techniques specifically built to make automated detection and analysis considerably more difficult.

Both files were obfuscated using a known protection tool, further complicating efforts by security teams to inspect the code.

Once active, the payload behaves like a Remote Access Trojan, granting attackers persistent, encrypted access to the infected machine.

It can collect system details, monitor user activity, check which security software is installed, and silently load additional malicious components on command.

Communication with the attacker's server happens over an encrypted channel, using a hardcoded address traced to infrastructure based in Hong Kong.

These capabilities point toward a financially motivated operation, rather than one focused on immediate damage or disruption, and they closely resemble traits associated with known commodity RAT families such as XWorm.

However, researchers note that conclusive attribution to a specific threat actor remains unconfirmed at this stage.

Why this campaign matters

This is not an isolated phishing attempt but part of a broader pattern of attackers exploiting tax season anxiety to bypass user caution entirely.

CYFIRMA's findings show the same loader-and-payload architecture has previously been linked to ransomware operators, suggesting this infrastructure may serve more than one type of attack depending on the victim.

Up-to-date antivirus software with behavioral detection remains one practical defence against this kind of staged, multi-component malware delivery.

Security researchers recommend that individuals verify any tax-related correspondence directly through official government channels rather than clicking embedded links.

Organizations are advised to restrict the execution of unknown files arriving through archives or disk images, since this campaign relies heavily on that exact delivery method to succeed.