A new malware campaign is using fake Indian tax notices to trick users into installing not one, but two separate remote access trojans on their computers.
The attack disguises itself as an official Income Tax Department communication, playing on the fear of penalties to push victims toward a malicious download.
Once triggered, the infection unfolds across six carefully engineered stages that end with two independent RATs running quietly in memory.
Each implant connects to its own command server, giving the attacker a built-in backup if one connection gets blocked or detected. The design shows a level of planning that goes well beyond a typical phishing scam.
Security researchers first flagged the operation as it targeted users across India with government-themed lures.
Analysts from Cyderes said in a report shared with Cyber Security News (CSN) that they identified the campaign and traced its full technical chain, from the initial fake notice down to the final payloads running inside legitimate system processes.
The attackers built their lure using authentic looking government branding, including references to the Ministry of Finance and the Enforcement Division, to make the fake notice feel credible.
Victims who click through are pushed toward a spoofed Microsoft verification page before the actual malware ever appears. That extra layer of trust building is part of what makes the campaign effective against everyday users.
Fake Indian ITR Notice Delivers Dual RAT Malware
The infection begins on fraudulent websites that copy the look of the Indian Income Tax Department, each using an “/incometax” path and a fabricated compliance notice.
Income Tax notice lure (Source – Cyderes)
The message claims the recipient’s organization has violated tax law and must submit documents within 72 hours to avoid penalties. Clicking “Download Documents” redirects victims to a page branded as “Microsoft Edge Secure Gateway” that runs a fake series of security checks.
Fake Microsoft verification page (Source – Cyderes)
Once every check appears to pass, the browser downloads a ZIP archive named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip.
Inside are a legitimate signed executable and a malicious DLL named nvdaHelperRemote.dll, packaged together to exploit Windows DLL search order abuse.
When the executable runs, it unknowingly loads the attacker’s DLL instead of a genuine one, giving the malware a trusted entry point onto the system.
Six Stages to Dual aRAT Deployment
From that first sideload, the chain moves through privilege escalation using a UAC prompt, then installs a persistence service disguised as “Windows Mixed Reality Service”.
The malware then fetches a file from its infrastructure that looks like an ordinary JPEG image but actually hides multiple encrypted payloads appended after the picture data.
This polyglot trick lets the file pass casual inspection and basic content filters that only check the header.
Later stages abandon disk activity almost entirely, using reflective loading to unpack code directly in memory.
The chain finishes by injecting two payloads into svchost.exe processes across every active user session, so the malware survives user switches and keeps a foothold in both service and interactive contexts.
The two final implants are a Gh0st RAT derivative with screen capture abilities connecting over port 6666, and a Quasar or AsyncRAT family .NET implant that patches the Antimalware Scan Interface before loading, connecting over port 6351.
AMSI patching (Source – Cyderes)
Running both over separate command channels means blocking one does not end the intrusion.
The same host artifacts used for detection, including the staged service, hidden lock files, and named global events, also give response teams a fast path to scope and contain a confirmed compromise.
The recommended detection approach includes watching for signed binaries loading unsigned DLLs, unusual service creation pointing to unexpected paths, AMSI tampering ahead of CLR initialization, and process injection targeting svchost.exe from unexpected sources.
Since in-memory execution and signed binary abuse let an infected endpoint stay quiet while an operator retains full control, layered defenses and proactive hunting for these specific artifacts matter more than relying on a single detection to catch the activity before it escalates.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionFile NameCommon_Offline_Utility_ITR-1_to_4_AY2026-27.zipInitial malicious archive delivered via fake tax portalFile NameCOU_ITR-1_to_4_AY2026-27.exeLegitimate signed binary abused as sideload launcherFile NamenvdaHelperRemote.dllMalicious DLL sideloaded via DLL search-order hijackFile NameMixed Reality.exeCopied host binary used to sideload staged DLLFile Namebackground.jpgPolyglot payload container hiding encrypted stagesFile Namec:\debug.txtHidden debug log written by injectorFile Namec:\kkooPPPLock file, Gh0st RAT derivative single-instance guardFile Namec:\ouewoLock file, AsyncRAT loader single-instance guardFile Namec:\kkqqexitKill file used as shutdown signalDomainimport[.]momLure hosting domain (path /incometax)Domaintqkat[.]restLure hosting domain (path /incometax)Domaingenerate[.]latLure hosting domain (path /incometax)Domainmeoou[.]restLure hosting domain (path /incometax)Domainkattp[.]homesLure hosting domain (path /incometax)IP Address118[.]107[.]0[.]197Polyglot payload hosting serverURLhxxp[:]//118[.]107[.]0[.]197/ouewo[.]jpgPolyglot payload download URLDomainkkxqbh[.]topGh0st RAT derivative C2 (port 6666)Domainouewop[.]comAsyncRAT family C2 (port 6351)Service NameMixedSvc / “Windows Mixed Reality Service”Malicious persistence serviceNamed EventGlobal\kkctsbnnSingle-instance guard eventNamed EventGlobal\ShitSetupOn26126kSetup-phase guard eventMutex5sGEm6Q4eTNvAsyncRAT mutex
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post Fake Indian ITR Notice Delivers Dual RAT Malware Through Six-Stage Infection Chain appeared first on Cyber Security News.



