At a glance
- Actor: Suspected China-nexus threat cluster
- Activity type: Spear-phishing and cyber espionage
- Targets: Indian taxpayers, finance teams, and tax professionals
- Scale: Pan-India taxpayer base
- Status: Active since May 2026
- Source: Seqrite Lab
TL;DR
The Operation DragonReturn campaign targets Indian taxpayers and finance professionals. Attackers use fake income tax notifications to deploy remote access trojans. This ongoing China-nexus cyber espionage operation aims to steal sensitive financial data.
What Happened
Seqrite Lab discovered an active phishing campaign in May 2026. Researchers named this threat Operation DragonReturn. Attackers send spear-phishing emails to Indian taxpayers. They impersonate the Ministry of Finance’s Income Tax Department. The emails contain a fake PDF attachment. This document warns victims about alleged corporate tax violations.
When users click the embedded link, a fake government webpage opens. The site prompts victims to download a ZIP archive. This file mimics a real government tax utility. However, opening the archive starts a dangerous infection chain. The malware uses a technique called DLL sideloading. It establishes persistence by creating a hidden Windows service.

Next, the malware injects malicious code into a legitimate system process. It disables built-in security scanners to avoid detection. The malware retrieves an encrypted payload from an embedded resource. Then, it decrypts a .NET assembly directly into memory. This strategy avoids writing malicious files to the hard drive.
“The malware then enforces single-instance execution by creating a global event named Global\ShitSetupOn26126k and terminating if an existing instance is detected,” the report explains. Finally, it deploys a remote access trojan known as DcRAT. This tool allows attackers to control the infected computer.
Who Is Behind It
Security analysts attribute Operation DragonReturn to a suspected China-nexus threat cluster. Researchers made this assessment with medium-to-high confidence. They found overlapping tactics and shared infrastructure. The campaign shares similarities with another threat actor known as Silver Fox.
Investigators traced the command-and-control servers to specific network providers. They found Chinese-language strings within the web management panels. “The repeated use of infrastructure hosted within ChinaNet (AS4134), combined with previously identified Chinese-language artifacts, infrastructure overlaps, and TTP similarities, further strengthens our assessment of a China-aligned threat nexus,” analysts noted.
However, definitive attribution remains difficult in cyberspace. Therefore, experts consider the attackers suspected rather than confirmed state actors. They use domains like kkxqbh[.]top to communicate with infected machines. The threat actors spread their resources across multiple hosting environments. This strategy complicates tracking efforts for defenders.
Impact or Scale
The operation targets a massive demographic across India. Victims include individual taxpayers, corporate finance teams, and government contractors. “This campaign is classified as a Spear Phishing to Malware Delivery operation with APT-style characteristics,” Seqrite stated. Attackers want to steal sensitive financial data.
The malware captures screenshots and exfiltrates system data. It compresses this information before sending it to remote servers. The threat actors actively rotate their payloads to evade antivirus software. By June 2026, their latest files bypassed all major security scanners.
This evasion makes the campaign highly dangerous. A successful breach could lead to severe financial fraud. It might also expose confidential government financial records. The attackers want long-term access to high-value networks.
What Comes Next and How to Stay Protected
Operation DragonReturn remains highly active today. Attackers will likely continue refining their malware to bypass new defenses. They want to maintain covert access to Indian financial networks. Users must remain vigilant during tax filing seasons.
You should never download tax utilities from unofficial links. Always visit the official government portal directly. Furthermore, organizations must update their endpoint security tools. Security teams should monitor networks for unusual service creations.
Strict email filtering can also block these phishing attempts before they reach users. Security awareness training remains crucial for all financial staff.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.