Cybersecurity researchers have uncovered a new cyber-espionage campaign, named Operation DragonReturn, that is targeting Indian taxpayers, tax professionals, chartered accountants, corporate finance teams, and businesses. The campaign has been linked with medium-to-high confidence to a suspected China-nexus threat cluster based on its infrastructure, attack techniques, and similarities with previously observed espionage operations. The activity was first detected on May 18, 2026, and became more active during India’s income tax filing season.

The attackers are sending carefully crafted phishing emails that appear to come from the Income Tax Department of India. These emails warn recipients about tax violations, pending penalties, or filing-related issues to create urgency. Attached PDF files contain links that redirect victims to a fake website designed to closely resemble an official government portal. The website offers what looks like a legitimate Income Tax Return filing utility, making it difficult for users to recognize that it is actually malicious.
When users download and run the fake tax filing utility, a multi-stage malware infection begins in the background. Instead of installing a genuine government application, the file secretly launches several hidden components that eventually deploy DcRAT, a remote access trojan. This malware allows attackers to gain unauthorized access to infected systems, monitor user activity, steal sensitive information, and maintain long-term control over compromised devices without the victim noticing any suspicious behavior.

Researchers found that the malware uses advanced techniques to avoid detection by traditional security tools. It hides malicious code inside an image file using steganography, bypasses Windows security protections, and executes its payload directly in memory without leaving many traces on the hard drive. The malware also injects itself into legitimate Windows processes and creates a fake Windows service to ensure it continues running even after the computer is restarted.
The campaign appears to be highly organized rather than opportunistic. Researchers noted that the phishing documents contain accurate legal references, realistic formatting, and both English and Hindi content to make the emails more convincing. The attackers also frequently rotate their malicious payloads and infrastructure to avoid antivirus detection. One malware sample reportedly had no detections from antivirus engines when it was first discovered, highlighting the effort invested in keeping the campaign hidden.

Security researchers believe the primary objective of Operation DragonReturn is cyber espionage rather than immediate financial fraud. By compromising taxpayers, accountants, finance departments, and organizations connected to India’s tax ecosystem, the attackers may collect confidential financial records, tax documents, login credentials, and other sensitive information. Such intelligence could provide long-term strategic value instead of generating quick financial returns.
The investigation also revealed that the malware communicates with remote command-and-control servers using encrypted connections, making network monitoring more difficult. It establishes persistent access to infected systems and can receive additional instructions from attackers after the initial compromise. This flexibility allows threat actors to expand their activities over time, including data theft, surveillance, or deploying additional malicious tools depending on their objectives.

Cybersecurity experts recommend that individuals and organizations remain cautious when receiving tax-related emails, especially those urging immediate action or containing unexpected attachments or links. Users should download tax software only from official government sources, verify website addresses before entering sensitive information, and keep security software updated. Organizations should strengthen email filtering, monitor suspicious system activity, and educate employees about phishing attacks to reduce the risk of falling victim to campaigns like Operation DragonReturn.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news