Breaking News
Cybercriminals are using fake Indian Income Tax Department websites to distribute sophisticated malware that deploys two separate remote access trojans (RATs) on infected systems, according to researchers at Howler Cell Threat Research.
The campaign impersonates official income tax portals and lures users with urgent tax compliance notices before tricking them into downloading a ZIP archive disguised as a legitimate tax utility.
According to the researchers, the malware employs a multi-stage infection chain designed to evade conventional endpoint security tools while giving attackers redundant remote access to compromised systems.
"The overall threat profile is high," the researchers said. "The social engineering lure is well-targeted for Indian users, the infection chain is technically sophisticated, and the dual-implant design reflects deliberate operational security planning by the threat actor."
The attack begins when victims visit fraudulent websites posing as the Indian Income Tax Department. Users are redirected through a fake Microsoft security page before downloading what appears to be an official tax utility.
The downloaded archive contains a legitimate digitally signed Windows executable alongside a malicious dynamic link library (DLL). When the trusted executable is launched, it loads the malicious DLL using DLL search-order hijacking, allowing the malware to bypass initial trust checks.
Researchers said the malware then executes a six-stage infection chain that includes privilege escalation through a User Account Control (UAC) prompt, installation of a persistence mechanism masquerading as "Windows Mixed Reality Service," and retrieval of a polyglot JPEG file containing multiple encrypted payloads.
Rather than writing the payloads to disk, later stages execute entirely in memory using reflective loading techniques, making the attack significantly harder to detect through traditional file-based security tools.
The infection ultimately deploys two separate malware families by injecting them into svchost.exe processes across all active user sessions.
The first payload is a Gh0st RAT variant that communicates with a command-and-control server over port 6666 and supports capabilities including remote shell access, file management, desktop control and screen capture.
The second payload belongs to the Quasar RAT/AsyncRAT family. It runs entirely in memory after bypassing Microsoft's Antimalware Scan Interface (AMSI) and communicates with a separate command-and-control server over port 6351.
According to Howler Cell, using two different implants provides attackers with operational redundancy.
"If one implant is identified and blocked, the other remains active," the researchers said, adding that injecting the malware into multiple user sessions enables persistence across both interactive users and service accounts.
The researchers also noted that the attackers have separated the campaign's infrastructure across multiple domains, a dedicated server hosting the polyglot payload and two independent command-and-control servers, making disruption efforts more difficult.
Because the malware executes almost entirely in memory and conceals its payloads inside what appears to be a legitimate JPEG image, conventional endpoint protection platforms may fail to detect the attack, the researchers warned.
Howler Cell said organizations should proactively hunt for indicators such as the fake Windows Mixed Reality Service, unusual host artifacts and named kernel objects associated with the malware, rather than relying solely on endpoint alerts to identify compromises.
The campaign impersonates official income tax portals and lures users with urgent tax compliance notices before tricking them into downloading a ZIP archive disguised as a legitimate tax utility.
According to the researchers, the malware employs a multi-stage infection chain designed to evade conventional endpoint security tools while giving attackers redundant remote access to compromised systems.
"The overall threat profile is high," the researchers said. "The social engineering lure is well-targeted for Indian users, the infection chain is technically sophisticated, and the dual-implant design reflects deliberate operational security planning by the threat actor."
The attack begins when victims visit fraudulent websites posing as the Indian Income Tax Department. Users are redirected through a fake Microsoft security page before downloading what appears to be an official tax utility.The downloaded archive contains a legitimate digitally signed Windows executable alongside a malicious dynamic link library (DLL). When the trusted executable is launched, it loads the malicious DLL using DLL search-order hijacking, allowing the malware to bypass initial trust checks.
Researchers said the malware then executes a six-stage infection chain that includes privilege escalation through a User Account Control (UAC) prompt, installation of a persistence mechanism masquerading as "Windows Mixed Reality Service," and retrieval of a polyglot JPEG file containing multiple encrypted payloads.
Rather than writing the payloads to disk, later stages execute entirely in memory using reflective loading techniques, making the attack significantly harder to detect through traditional file-based security tools.
The infection ultimately deploys two separate malware families by injecting them into svchost.exe processes across all active user sessions.
The first payload is a Gh0st RAT variant that communicates with a command-and-control server over port 6666 and supports capabilities including remote shell access, file management, desktop control and screen capture.
The second payload belongs to the Quasar RAT/AsyncRAT family. It runs entirely in memory after bypassing Microsoft's Antimalware Scan Interface (AMSI) and communicates with a separate command-and-control server over port 6351.
According to Howler Cell, using two different implants provides attackers with operational redundancy.
"If one implant is identified and blocked, the other remains active," the researchers said, adding that injecting the malware into multiple user sessions enables persistence across both interactive users and service accounts.
The researchers also noted that the attackers have separated the campaign's infrastructure across multiple domains, a dedicated server hosting the polyglot payload and two independent command-and-control servers, making disruption efforts more difficult.
Because the malware executes almost entirely in memory and conceals its payloads inside what appears to be a legitimate JPEG image, conventional endpoint protection platforms may fail to detect the attack, the researchers warned.
Howler Cell said organizations should proactively hunt for indicators such as the fake Windows Mixed Reality Service, unusual host artifacts and named kernel objects associated with the malware, rather than relying solely on endpoint alerts to identify compromises.
See What’s Next in Tech With the Fast Forward Newsletter
SECURITY
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.




