Hackers Target Indian Users With Fake Tax Emails to Deploy Advanced Espionage Backdoor
A multi-stage cyber espionage campaign abuses tax-themed phishing and legitimate enterprise tools to gain persistent access and monitor victims.
Cybersecurity researchers have uncovered an ongoing cyber espionage campaign targeting users in India, using phishing emails impersonating the Income Tax Department.
According to eSentire’s Threat Response Unit, the attack delivers a sophisticated multi-stage backdoor designed to establish long-term persistence, monitor user activity, and exfiltrate sensitive data. The campaign has not yet been linked to a known threat group.
How the Attack Begins
The intrusion starts with phishing emails posing as tax penalty or inspection notices. Victims are tricked into downloading a malicious ZIP archive that appears legitimate.
Inside the archive:
- Most files remain hidden
- A single executable, “Inspection Document Review.exe,” acts as the entry point
- The executable sideloads a malicious DLL embedded in the archive
Once executed, the DLL performs anti-analysis checks and contacts a remote server to retrieve the next-stage payload.
Privilege Escalation and Stealth Techniques
After initial execution, the malware:
- Uses a COM-based technique to bypass User Account Control (UAC)
- Gains administrative privileges without user approval
- Modifies its own Process Environment Block (PEB) to masquerade as explorer.exe
These techniques help the malware evade detection while escalating control over the infected system.
Security Evasion and Payload Delivery
The next stage downloads an installer from a remote domain and adapts its behavior based on the presence of antivirus software.
If Avast Free Antivirus is detected, the malware:
- Simulates mouse movements
- Navigates the antivirus interface
- Adds malicious files to the exclusion list
- Avoids disabling the security software to reduce suspicion
This behavior relies on a DLL variant linked to Blackmoon (KRBanker), a banking trojan first identified in 2015.
Abuse of Legitimate Enterprise Tools
The campaign ultimately deploys SyncFuture TSM, a legitimate enterprise remote monitoring and management (RMM) tool developed by a Chinese vendor.
By abusing this commercial software, attackers gain:
- Full remote control of infected endpoints
- Continuous user activity monitoring
- Centralized data exfiltration
- Strong persistence across reboots
Additional components include scripts that modify permissions, create hidden directories, manage services, and clean traces of execution.
Why This Campaign Is Dangerous
This attack stands out due to its layered sophistication. By combining:
- Phishing and DLL sideloading
- Privilege escalation
- Antivirus evasion
- Commercial tool repurposing
the attackers avoid many traditional detection methods while maintaining deep control over compromised systems.
Researchers warn that the operation demonstrates clear espionage intent, not simple financial fraud.