Fake Indian tax portal used to plant spyware on finance teams' computers

A suspected Chinese hacking group is posing as India's Income Tax Department to slip a remote-control virus onto the machines of accountants and corporate finance staff.

ThreatVectr Newsdesk· 3 min read
Photoreal editorial full-frame 16:9 image of a dimly lit Indian accountant's desk at night, showing an open laptop with a generic tax form on screen, a calculat
Share

Key points

  • Security firm Seqrite Labs has named the campaign Operation DragonReturn and linked it to a suspected China-based hacking group.
  • The attackers send fake emails pretending to come from the Income Tax Department of India, aimed at taxpayers, tax advisers and corporate finance teams.
  • The final payload is DcRAT, a remote access trojan, which is spyware that lets attackers watch and control an infected computer from afar.
  • The campaign uses several stages of hidden downloads before the spyware lands, making it harder for antivirus tools to catch.
  • Victims risk theft of tax filings, client data, banking details and internal financial records.

Someone in India opens what looks like a routine email from the tax office. It talks about a filing utility, the sort of small program accountants download every year around deadline season. They click. Nothing obvious happens. In the background, their computer has just been handed to a stranger.

That is the shape of Operation DragonReturn, a campaign flagged by researchers at Seqrite Labs and reported by The Hacker News. The team believes the attackers are linked to China, though they have stopped short of naming a specific state-backed crew.

The targets are narrow and deliberate. Indian taxpayers, chartered accountants, and the finance departments inside Indian companies. In other words, the people who sit on top of a mountain of sensitive financial paperwork.

How does the attack actually work?

It starts with a spear-phishing email, which is a targeted fake message written to look like it comes from someone the victim trusts. Here, the sender pretends to be the Income Tax Department of India. The lure is a tax filing utility, a piece of software Indian filers really do use.

Opening the attachment kicks off a multi-stage chain. Each stage pulls down the next piece quietly, so nothing looks too alarming at any single step. The failure mode here is familiar: individual files look boring, the sum of them is a full spyware kit.

The final payload is DcRAT. RAT stands for remote access trojan, which is malicious software that gives an attacker a live back door into the machine. Once installed, DcRAT can log what the user types, grab files, take screenshots, and pull passwords out of browsers. For a finance team, that means client tax returns, PAN numbers, bank credentials, and anything sitting in a shared drive.

Should ordinary taxpayers be worried?

Mostly this campaign is aimed at professionals, not individual filers, but the same trick works on anyone. If you file taxes in India, treat any email claiming to be from the tax department with suspicion, especially around deadlines. The real Income Tax Department does not send filing utilities as email attachments. Downloads should come from the official portal you type into the browser yourself.

If you run a small accounting practice, the practical advice is duller and more useful. Do not open attachments from unexpected senders. Keep tax utilities on a machine that is not also used for general email and web browsing. Turn on multi-factor authentication, which is the extra one-time code step, on every account that touches client data.

Why does this one matter?

In practice, campaigns like this succeed because the lure is boring and plausible. Nobody is excited to receive a tax notice. People click through them fast, half-reading, wanting the task off their plate. That is exactly the mental state attackers count on.

One thing the post-mortem will say, if any of the victim firms bother writing one: the antivirus alert probably did fire on stage two or three. Someone dismissed it. Someone always does.

Operational takeaway: assume any email offering a tax utility is hostile until proven otherwise, and get your finance team into the habit of downloading tools only from the URL they typed themselves.

© 2026 Threat Vectr