India Tax Scam Alert: “SyncFuture” Campaign Installs Chinese Surveillance Tool
Ddos 
Attack Flow | Image: The eSentire Threat Response Unit (TRU)
A new and sophisticated cyber threat emerged targeting residents of India, disguising a potent espionage operation as mundane bureaucracy. The eSentire Threat Response Unit (TRU) has uncovered a campaign dubbed “SyncFuture”, where threat actors are weaponizing legitimate enterprise security software to conduct long-term surveillance on victims.
The campaign is a masterclass in deception, beginning with a high-pressure phishing lure and ending with the installation of a commercial-grade Chinese IT management tool repurposed for spying.
The attack vector relies on the universal anxiety surrounding tax compliance. Victims receive emails impersonating the Income Tax Department of India, with subject lines warning of a “Tax Compliance Deficiency and Penalty Notice”.
These emails, often sent via SendGrid to bypass initial filters, demand that the recipient submit documents within 72 hours. It is a classic social engineering squeeze. However, clicking the download link does not retrieve tax forms; it initiates a multi-stage infection chain designed to take total control of the target’s machine.
The technical sophistication of the “SyncFuture” campaign is evident from the moment of infection. The attackers employ DLL side-loading, a technique where a legitimate, signed Microsoft application is tricked into loading a malicious library.
According to the report, “The infection chain demonstrates a high level of sophistication, beginning with a DLL side-loading technique where a legitimate, signed Microsoft application is used to load a malicious DLL”.
Once executed, the malware performs a series of gymnastic maneuvers to evade detection and elevate its own privileges:
- UAC Bypass: It utilizes a file-less COM-based technique to silently gain administrative privileges without alerting the user.
- Masquerading: It modifies its own process information to look like the harmless Windows explorer.exe.
Perhaps the most brazen aspect of this campaign is how it handles security software. The malware includes specific code to neutralize Avast Free Antivirus—not by killing the process, but by interacting with it.
If Avast is detected, the malware “uses automated mouse simulation to navigate Avast’s interface and add malicious files to the antivirus exclusion list, effectively whitelisting them to bypass detection”. The attackers have essentially programmed a ghost user to click “Allow” on their behalf.
The endgame of this campaign is not ransomware or immediate financial theft. It is persistent, deep-cover espionage. To achieve this, the attackers deploy the SyncFuture Terminal Security Management System (TSM), a legitimate commercial software product developed by Nanjing Zhongke Huasai Technology Co., Ltd in China.
Typically used by IT administrators to manage corporate networks, the software provides the attackers with a pre-built suite of surveillance tools, including screen recording, file tracking, and remote desktop control.
“While marketed as a legitimate enterprise tool, it is repurposed in this campaign as a powerful, all-in-one espionage framework”.
By using signed, legitimate software as their final payload, the threat actors ensure their foothold remains stable and difficult to flag as malicious. The eSentire TRU concludes that “The threat actor’s primary objective is to gain persistent, elevated access to the victim’s machine for continuous monitoring of user activities, file operations, and exfiltration of sensitive information”.
Related Posts:
- “Tax Compliance” Trap: Hackers Mimic Indian Income Tax Department to Deploy China-Linked Malware
- Android’s Call Screen Just Got a Major Upgrade: Meet Google’s New Calling Cards
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
