Fake Indian Tax Notices Deliver Dual RATs via Six-Stage Infection Chain
A sophisticated campaign uses fake Indian tax notices to deliver two distinct Remote Access Trojans (RATs) through a complex six-stage infection process, exploiting DLL search order abuse and polyglot files.

A new malware campaign is actively targeting users by impersonating the Indian Income Tax Department, leveraging fake tax notices to deliver a dual-payload attack. The campaign employs a multi-stage infection chain, meticulously designed to bypass security measures and establish persistent access with two distinct Remote Access Trojans (RATs). Researchers at Cyderes have detailed the operation, highlighting its sophisticated lure and technical execution.
The attack begins with fraudulent websites mimicking the Indian Income Tax Department, using paths like "/incometax" and displaying fabricated compliance notices. These notices claim the recipient's organization has violated tax laws and must submit documents within 72 hours to avoid penalties. To enhance credibility, the fake notices incorporate official government branding, including references to the Ministry of Finance and the Enforcement Division. Clicking a "Download Documents" link redirects victims to a spoofed "Microsoft Edge Secure Gateway" page, which performs a series of fake security checks to build user trust before initiating the malware download.
Upon successful trust-building, users are prompted to download a ZIP archive named "Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip." This archive contains a legitimate signed executable alongside a malicious DLL named "nvdaHelperRemote.dll." The attackers exploit Windows' DLL search order vulnerability, ensuring that when the signed executable runs, it loads the malicious DLL instead of its intended counterpart, granting the malware a trusted entry point.
The infection chain then progresses through several stages. It involves privilege escalation, often through a User Account Control (UAC) prompt, followed by the installation of a persistence service disguised as "Windows Mixed Reality Service." The malware then fetches encrypted payloads hidden within a file that appears to be a standard JPEG image. This polyglot file format allows the malicious content to evade basic content filters and casual inspection.
Later stages focus on in-memory execution, abandoning disk activity to unpack and load code directly into memory, further complicating detection. The final payloads are injected into "svchost.exe" processes across all active user sessions. This ensures the malware remains active even when users switch sessions or log out, maintaining a robust foothold on the compromised system.
The two distinct RATs deployed are a Gh0st RAT derivative, capable of screen capture and connecting via port 6666, and a .NET implant from the Quasar or AsyncRAT family. The latter actively patches the Antimalware Scan Interface (AMSI) before loading, enabling it to evade detection by security software, and connects via port 6351.
The use of two separate command-and-control (C2) channels provides a critical redundancy for the attackers. If one C2 connection is blocked or detected, the other remains active, ensuring continued control over the compromised environment. This dual-RAT approach significantly increases the resilience of the attack.
Security researchers recommend layered defenses and proactive threat hunting to counter this campaign. Key indicators of compromise include signed binaries loading unsigned DLLs, unusual service creation pointing to unexpected paths, AMSI tampering, and process injection targeting "svchost.exe" from unauthorized sources. The reliance on in-memory execution and abuse of signed binaries means that infected endpoints can remain undetected for extended periods, underscoring the importance of hunting for these specific artifacts.