China-Nexus Threat Actors Target Indian Taxpayers with Sophisticated Phishing Campaigns
A suspected China-nexus threat cluster, dubbed 'Operation DragonReturn' by **Seqrite Labs**, is actively targeting Indian taxpayers, professionals, and corporate finance teams. The multi-stage campaign employs highly convincing spear-phishing tactics to deploy a remote access trojan, aiming for sensitive data theft and financial gain during the annual income tax filing season.

A sophisticated cyber espionage campaign, identified as **Operation DragonReturn** by **Seqrite Labs**, is actively targeting individuals and entities within India's financial ecosystem. This campaign, first observed on May 18, 2026, coincides strategically with the country's annual income tax filing season, maximizing its potential impact.
### Precision-Engineered Phishing Attacks
The attackers employ highly deceptive spear-phishing emails impersonating the **Income Tax Department of India**. These emails leverage lures related to tax violations and penalties, creating a false sense of urgency to trick recipients into clicking malicious links. Security researchers **Dixit Panchal** and **Soumen Burma** from **Seqrite Labs** highlighted the campaign's meticulous nature, stating, "It is not opportunistic β the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem."
### Multi-Stage Infection Chain
Initial attack vectors involve phishing messages containing malicious links, such as `govtop[.]one/incometax`, embedded within PDF attachments. Clicking these links directs users to a fraudulent landing page that prompts the download of a ZIP archive. This archive, masquerading as a legitimate offline utility for tax returns, is engineered to sideload a malicious DLL, `nvdaHelperRemote.dll`.
This DLL then injects a secondary payload into memory. This payload prioritizes administrative privileges, triggering a User Account Control (UAC) prompt if necessary. It also incorporates anti-analysis checks to evade detection in sandboxed environments before retrieving a JPG image (`lllyd.jpg`) from a hard-coded server (`204.194.48[.]250`). This image, stored as `C:\Windows\background.jpg`, acts as a container for yet another payload.
### Persistence and Malware Deployment
**Seqrite Labs** explained, "This image file is used as a container for a secondary payload, from which a 504 KB DLL is extracted and written to 'C:\Program Files\Windows Media Player\nvdaHelperRemote.dll'." Following extraction, the malware copies itself as `Mixed Reality.exe` and establishes persistence by creating a Windows service named `MixedSvc`, configured for automatic startup on system boot.
This intricate behavior confirms the sample's role as a downloader and installer, utilizing image-based payload concealment and Windows service persistence to maintain long-term access to compromised systems.

The `Mixed Reality.exe` binary is responsible for deploying two distinct payloads:
* A .NET malware loader that performs anti-analysis checks, establishes persistence, disables **Windows AMSI** scanning, and ultimately decrypts and loads **DCRat** on the infected machine.
* A second payload with capabilities for taking screenshots and exfiltrating data to a remote server (`kkxqbh[.]top`).
### Attributing the Threat Actor
While direct attribution remains challenging, infrastructure analysis points to the use of IP addresses associated with **ChinaNet** and a Chinese-language web management panel exposed by the **DCRat** command-and-control (C2) server (`223.26.63[.]40`). **Seqrite** also noted tactical and infrastructural overlaps with **Silver Fox**, a Chinese cybercrime group previously linked to tax-themed phishing campaigns distributing **ValleyRAT**.
Based on these similarities, **Seqrite** suspects the campaign is orchestrated by a China-aligned threat actor, aiming to establish covert access for intelligence gathering, credential theft, and systematic data exfiltration.
### Broader Threat Landscape: ValleyRAT Campaigns
This disclosure comes as **LevelBlue** reported detecting two separate campaigns employing **ValleyRAT**, targeting Chinese- and Japanese-speaking users. These campaigns utilize either fake installers for applications like **LINE** or phishing emails with salary adjustment lures.

In the email-driven campaign, malicious emails contain a URL that, when accessed, downloads a ZIP archive. This archive initiates a DLL side-loading chain, ultimately deploying **ValleyRAT**, a remote access trojan allowing attackers to seize control of infected systems.
The fake installer attack chain, conversely, uses bogus installers for popular software, deploying **ValleyRAT** through techniques such as **PoolParty Variant 7**. This method also prioritizes anti-analysis and detection evasion, as noted by **Cybereason**.
Intriguingly, the use of **PoolParty Variant 7** for shellcode injection into `explorer.exe` has been previously observed in connection with a custom malware loader known as **SADBRIDGE**. **SADBRIDGE** is designed to deploy **GOSAR**, a Golang-based reimplementation of **Quasar RAT**. **Elastic Security Labs** attributed this intrusion set, which targeted Chinese-speaking regions with malicious installers for **Telegram** and **Opera**, to **REF3864**.
**Cybereason** researcher **Hajime Takai** commented in February 2026, "While we don't have conclusive proof, these commonalities suggest they may have been created by the same threat actor."
### Recommendations for IT Security Professionals and Users
Given the sophistication of these campaigns, IT security professionals should reinforce email security gateways, implement robust endpoint detection and response (EDR) solutions, and conduct regular security awareness training, particularly on recognizing spear-phishing attempts. Privacy-conscious users should exercise extreme caution with unsolicited emails, verify the authenticity of senders, and avoid downloading attachments or clicking links from unknown or suspicious sources, especially during sensitive periods like tax filing seasons. Always download software and utilities directly from official websites.