Fake Tax Emails Are Planting Two Separate Spying Tools on Indian Taxpayers' Computers
A campaign timed to India's tax filing season tricks people into downloading what looks like an official government utility. Inside: two hidden programs that give criminals full remote control of the victim's machine.

Key points
- Security firm Cyderes discovered a phishing campaign, where criminals send fake emails to trick people, impersonating India's Income Tax Department in 2025.
- The fake emails push a download that secretly installs two remote-access trojans, meaning programs that let an outside attacker control your computer as if they were sitting at the keyboard.
- One trojan is based on Gh0st RAT, a long-established spying tool, while the second comes from the QuasarRAT and AsyncRAT family, both widely used by criminal groups.
- Each trojan calls home to its own separate server, so blocking one does not cut off the attacker's access.
- Cyderes recommends organisations focus on behaviour-based detection rather than relying on signature lists alone.
Every year, as India's tax season opens, millions of people expect emails about their filings. Criminals know this. Researchers at security company Cyderes have found a campaign that uses the rush and anxiety of tax season as cover for a serious attack.
Victims receive an email that looks like it comes from the Indian Tax Department. The message pressures them into downloading what appears to be an official income-tax utility, labelled with convincing government branding. It is not official. It is a trap.
How do the criminals stay hidden once they are inside?
The attackers stay hidden by never doing anything that looks obviously suspicious. Instead of dropping malicious software the moment someone opens the file, the attack unfolds in quiet stages.
The download contains a legitimate, digitally signed Windows program called COU_ITR-1_to_4_AY2026-27.exe. Because Windows trusts signed programs, security tools are less likely to flag it. The criminals abuse that trust by placing a malicious library file, a DLL (a bundle of code a program loads when it starts), in the folder the trusted program checks first. The trusted program loads the criminal's code without realising it.
From there, the attack checks whether it has administrator rights, patches a Windows security layer called AMSI (the Antimalware Scan Interface, which normally lets security software inspect what a program is about to run), and injects itself into svchost.exe, a standard Windows background process that would raise no eyebrows on any system.
The result: two separate spying tools, running quietly inside normal Windows processes.
One tool belongs to the Gh0st RAT lineage, tracked under that name across multiple vendor reports and active for well over a decade. The second sits in the QuasarRAT and AsyncRAT family, open-source remote-access tools that criminal groups have repurposed for years. Both let the attacker run commands, copy files, watch the screen, and install further software.
Crucially, each tool talks to its own command-and-control server, meaning the server the attacker uses to issue instructions. If a company's security team blocks one server, the second channel stays open. Cyderes described this as giving the attacker "redundant access even if one channel is blocked or detected."
Attribution here warrants caution. Cyderes has not publicly linked this campaign to a named nation-state group, and the tooling, Gh0st RAT derivatives and AsyncRAT-family implants, overlaps with a wide range of criminal and espionage clusters. Medium confidence at best on any state nexus without further infrastructure correlation.
If you are an individual taxpayer in India, treat any unexpected email asking you to download a tax utility with real suspicion. Download software only from the official Income Tax Department website. If you opened a file like this recently, ask an IT professional to check your machine.
Organisations with Indian employees or operations should watch for unusual activity from svchost.exe, unexpected new services, and any process running the .NET software framework when it normally would not.



