“Tax Compliance” Trap: Hackers Mimic Indian Income Tax Department to Deploy China-Linked Malware
Ddos 
Infection Chain of the Attack | Image: SEQRITE Labs
As tax filing season discussions linger, a new and sophisticated phishing campaign is targeting Indian businesses by weaponizing the fear of non-compliance. A new analysis by SEQRITE Labs’ APT Team has uncovered a multi-stage attack that begins with a fake tax notice and ends with a persistent Remote Access Trojan (RAT) burrowed deep into the victim’s system.
The campaign is notable not just for its timing but for its “China-linked” origins. “Multiple technical indicators observed during analysis of installers point toward a China-linked development environment rather than a globally sourced commodity,” the report states.
The attack starts with a spear-phishing email that appears to come from the “Office of the Deputy Assistant Director of Income Tax, Investigation.” The subject line, “Tax Compliance Review Notice,” is designed to trigger immediate panic.
However, the attackers employed a clever trick to bypass spam filters. “What makes this email particularly noteworthy is that the body contains no text at all. Instead, it features a single embedded image crafted to resemble an authentic ITD notice,” the researchers explained.
By using an image instead of text, the attackers hide keywords that security scanners normally look for. The email mimics official formatting, complete with the Government of India emblem and a strict deadline.
The email directs victims to open an attachment named Review Annexure.pdf. This document contains a link to a fraudulent compliance portal (hxxps://www.akjys.top/) which automatically triggers the download of a malicious ZIP file.
The fake portal uses a social engineering tactic: it explicitly tells the user to turn off their security software.
“The attackers even added a misleading reassurance: ‘Please remember to re-enable your antivirus protection after using the Income Tax Department client’,” the report notes. In reality, “No government portal, especially one related to tax compliance or investigations would never instruct users to disable their antivirus”.
Once the victim executes the downloaded file, a complex infection chain begins. The malware uses a two-stage installation process to establish persistence.
The Stage-1 installer acts as a silent loader. To appear legitimate, it carries a digital signature from “Hengshui Shenwei Technology Co., Ltd.”.
The Stage-2 installer reveals the campaign’s likely geographic origins. It displays a GUI entirely in Simplified Chinese and is signed by yet another entity, “Shandong Anzai Information Technology CO., Ltd.”.
“The installer ecosystem, extensive Simplified Chinese language usage, and the presence of a Chinese-registered code-signing entity collectively suggest that the tooling was either developed, compiled, or packaged within a Chinese software or threat ecosystem”.
The malware is not a simple smash-and-grab operation; it is designed for the long haul. It achieves persistence by registering itself as a Windows Service, masquerading as the “Windows Real-time Protection Service” to blend in with legitimate system processes.
Once established, the malware acts as a full-featured RAT. It harvests extensive system data—including OS versions, installed applications, and hardware details—and connects to multiple command-and-control (C2) servers to receive further instructions.
“The installer behaves more like a RAT than a simple data collector, maintaining persistence, collecting system details and remote command capability,” the analysts concluded.
This campaign serves as a critical warning that financial lures are evolving into gateways for total device compromise. By combining high-pressure government impersonation with advanced technical obfuscation, these threat actors are turning routine compliance checks into significant security breaches.
Donate