Hacking

Operation DragonReturn Targets Indian Taxpayers With DCRat

Published  ·  5 min read

An activity cluster that is associated with China-nexus threat actors has been noticed targeting Indian taxpayers, tax professionals, and corporate financial staff. This group is dropping the remote access trojan which will help the attackers to exfiltrate confidential data from compromised hosts.

The multistage attack operation is referred to as Operation DragonReturn by Seqrite Labs and involves distributing spear-phishing emails disguised as Income Tax Department of India. The activity was first spotted on May 18, 2026, coinciding with the annual income tax filing season in the country.

Seqrite researchers observed that the campaign is not opportunistic in nature. This is evidenced by the accuracy of the lure document, legitimate legal citations, bilingual support, and the fact that there is regular payload rotation which shows a well-planned, funded, and persistent operation targeting only Indian taxpayers.

Attack Chain

Operation DragonReturn tax-related phishing campaign starts with phishing emails pretending to be India's income tax department. It tricks the victim by using tax violation and penalty lure emails to create urgency. This causes the user to click on the malware link in the attachment.

The bogus landing page instructs users to download a ZIP archive. The archive appears to contain a common offline utility provided by the department to file tax returns. In reality, it is engineered to sideload a malicious DLL named nvdaHelperRemote.dll.

That DLL injects another payload into memory. This payload checks whether it is running with administrative privileges. Otherwise, it raises a User Account Control (UAC) prompt for the user to execute it with higher privileges.

When run, it first conducts checks to prevent itself from running in an analysis or sandboxed environment. Next, it downloads a JPG image file from a hardcoded server and saves it as C:\Windows\background.jpg.

The image file is the container that contains the second payload. The malware will extract a 504 KB dll file and will place it at the location: C:\Program Files\Windows Media Player\nvdaHelperRemote.dll.

Once the payload extraction has been completed, the malware will duplicate itself as "Mixed Reality.exe" and will make sure to persist by creating a windows service called "MixedSvc."

The Payloads

The Mixed Reality.exe binary is responsible for deploying two different payloads:

  • First payload: A .NET malware loader that carries out anti-analysis checks, establishes persistence, disables Windows AMSI scanning, and decrypts and loads DCRat on the infected machine.
  • Second payload: Features capabilities to take screenshots and exfiltrate data to a remote server.

Attribution

The Operation DragonReturn tax-themed phishing campaign attribution remains unclear.

However, infrastructure analysis indicates several clues:

  • IP addresses belonging to ChinaNet are used
  • A Chinese-language web management panel is exposed by the DCRat command-and-control server
  • Infrastructure and tactical overlaps with Silver Fox, a Chinese cybercrime group previously attributed to tax-themed phishing campaigns delivering ValleyRAT

Based on these similarities, Seqrite suspects the campaign is the work of a China-aligned threat actor with an aim to establish covert access for intelligence collection, credential theft, and systematic data exfiltration.

Related ValleyRAT Campaigns

LevelBlue detected two distinct campaigns employing fake installers and phishing emails with salary adjustment lures to distribute ValleyRAT targeting Chinese- and Japanese-speaking users.

The email-based malware campaign starts by sending out a malicious email with a URL link. Upon accessing the link, it will initiate the downloading of a ZIP file that functions as the basis of a DLL sideloading chain for downloading and installing ValleyRAT.

The fake installer attack chain employs bogus installers for popular software to deliver the malware. It uses techniques like PoolParty Variant 7 while focusing on anti-analysis and detection evasion.

The SADBRIDGE Connection

The use of PoolParty Variant 7 to inject shellcode into explorer.exe has been previously observed in connection with a custom malware loader called SADBRIDGE. That loader is designed to deploy GOSAR, a Golang-based reimplementation of Quasar RAT.

The intrusion set targeted Chinese-speaking regions with malicious installers for Telegram and Opera. Researchers noted commonalities suggesting they may have been created by the same threat actor.

The Bottom Line

Operation DragonReturn shows how phishing campaigns have become a way to take advantage of tax season. Emails impersonating the Income Tax Department. Attachments in PDF format with malware links. ZIP files with DLL sideloading chains. DCRat for data theft.

The precision of the lures, the use of real legal citations, and the active payload rotation indicate a deliberate operation. Check your emails. Verify the source. And be cautious of tax-related links during filing season.

FAQ Section

What is Operation DragonReturn?

Operation DragonReturn is an example of spear phishing attacks on Indian taxpayers, accountants, and business financial managers through tax-related phishing baits that deliver DCRat malware.

What is the technique behind this operation?

The phishing emails are impersonating India's Income Tax Department. The emails contain PDF files with malicious hyperlinks. Upon clicking on the hyperlink, the user will download a ZIP file, which is a DLL sideloading chain that delivers the DCRat malware.

Which form of malware is being used?

In this attack, two types of malware are being used – one is DCRat, which is a Remote Access Trojan, while the other one can take screenshots and steal data.

Which threat actor is behind this attack?

Though it is difficult to confirm, but it appears that there is some connection between the two attacks and the cybercriminal group, Silver Fox, which is a Chinese one as its IP addresses are connected with ChinaNet and Chinese website management portal.

When did this attack begin?

This attack began on May 18, 2026, and it coincided with the annual income tax filing deadline for India.

What should I do?

You should be wary of any tax related emails and only click links from verified sources. You should never download any ZIP file attachments from emails.

Source: The Hacker News
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067