Got That Income Tax Notice On Mail? Stop! It Could Be A Trap

Recent phishing attacks have targeted Indian users, exploiting emails that impersonate the Income Tax Department, according to cybersecurity resear...

Summarized by AI ⓘ

What is the story about?

got that income tax notice on mail? stop! it could be a trap

Indian users have been the target of hackers in the past. And now, a recent attack has been targeting users via a phishing attack, as reported by The Hacker News. The Cybersecurity researchers from the eSentire Threat Response Unit (TRU) have identified the activity, which reportedly uses malicious emails pretending to be from the Income Tax Department of India. Most of these emails are framed around tax penalties, which is a tactic designed to trigger urgency and prompt quick action as well. According to the report, the phishing messages include a ZIP archive that, if downloaded, can trigger a multi-stage infection process. The final goal of this campaign is to deploy a variant of the Blackmoon banking trojan clubbed with a legitimate enterprise

management tool known as SyncFuture Terminal Security Management (TSM) created by Chinese firm Nanjing Zhongke Huasai Technology CO., Ltd.Keeping Your Posts Private On Instagram? Alert! Hackers Can Access Them With This Trick As mentioned by the researchers, the SyncFuture TSM is marketed as a lawful business product, but it is being misused in this phishing campaign as an all-in-one espionage framework. eSentire's statement read, 'By deploying this system as their final payload, the threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information.'

How The Attack Is Triggered?

As reported by THN, the ZIP file is distributed via fake tax notices, and it comprises five hidden components with only one visible executable labelled Inspection Document Review.exe. The malware connects to an external server and downloads the additional components to gain elevated system privileges while pretending to be a legit Windows process, avoiding all suspicion. The report also says that the malware installs additional scripts and executables are installed to make its stronghold on the victim's PC. eSentire said, 'It provides them with the tools to not only steal data but to maintain granular control over the compromised environment, monitor user activity in real-time, and ensure their own persistence. By blending anti‑analysis, privilege escalation, DLL sideloading, commercial‑tool repurposing, and security‑software evasion, the threat actor demonstrates both capability and intent.'