"It is not opportunistic – the precision of the lure document, the use of real legal citations, bilingual content, and active payload rotation indicate a deliberate, resourced, and sustained threat operation focused exclusively on the Indian taxpayer ecosystem," security researchers Dixit Panchal and Soumen Burma said.
Seqrite Labs' Operation DragonReturn: a seasonal, targeted phishing campaign
Seqrite Labs has tracked a multi-stage spear-phishing operation it calls Operation DragonReturn that began on May 18, 2026 and specifically targets Indian taxpayers, tax professionals, and corporate finance teams during the country's annual income‑tax filing season. The campaign uses emails impersonating the Income Tax Department of India and PDF attachments that embed a malicious link ("govtop[.]one/incometax") designed to create urgency with tax-violation and penalty lures. Seqrite assesses the end goal is deployment of malware for financial gain or sensitive-data theft.
How the attack chain works: fake utility, DLL side‑loading, image‑based concealment
Upon clicking the link in the PDF, victims are directed to a bogus landing page that instructs them to download a ZIP archive purported to contain an offline tax-filing utility. That archive is engineered to sideload a malicious DLL named nvdaHelperRemote.dll, which then injects an additional payload into memory. The payload requests elevated privileges — triggering a User Account Control prompt if necessary — and performs anti‑analysis and sandbox checks before continuing.
Seqrite describes a specific file-stage used to hide the secondary payload: the malware retrieves an image file lllyd.jpg from a hard-coded server at 204.194.48[.]250 and saves it as C:\Windows\background.jpg. The image file acts as a container; a 504 KB DLL is extracted from it and written to C:\Program Files\Windows Media Player\nvdaHelperRemote.dll. After extraction, the malware copies itself as Mixed Reality.exe and establishes persistence by creating a Windows service named MixedSvc configured to start automatically on boot. "This behaviour confirms that the sample functions as a downloader and installer, using image-based payload concealment and Windows service persistence to maintain long-term access to the infected system," Seqrite Labs explained.
DcRAT, AMSI disabling, and data exfiltration to remote servers
The Mixed Reality.exe dropper installs two distinct payloads. One is a .NET loader that performs anti‑analysis checks, establishes persistence, disables Windows AMSI scanning, and decrypts and loads DCRat on the host. The other payload captures screenshots and exfiltrates data to a remote server at kkxqbh[.]top. Seqrite's infrastructure analysis points to command-and-control activity on an IP address that resolved to a Chinese-language web management panel at 223.26.63[.]40 and the use of IP addresses belonging to ChinaNet.
Infrastructure overlaps: Silver Fox, ValleyRAT, PoolParty Variant 7 and related campaigns
Seqrite identified tactical and infrastructure overlaps between Operation DragonReturn and Silver Fox, a Chinese cybercrime group previously associated with tax-themed phishing campaigns that delivered ValleyRAT. Independent reporting cited LevelBlue detecting separate campaigns using fake installers for LINE and phishing emails with salary-adjustment lures to distribute ValleyRAT to Chinese- and Japanese-speaking users. Cybereason has reported fake installer attack chains that use techniques including PoolParty Variant 7 and focus on anti‑analysis and detection evasion.
PoolParty Variant 7 — which injects shellcode into explorer.exe — has been observed before in connection with a loader called SADBRIDGE used to deploy a Golang reimplementation of Quasar RAT known as GOSAR; Elastic Security Labs attributed that intrusion set to REF3864. Cybereason researcher Hajime Takai cautioned in February 2026, "While we don't have conclusive proof, these commonalities suggest they may have been created by the same threat actor."
What this means for technologists, tax professionals, and policymakers
- Technologists and security teams: Watch for DLL side‑loading chains, image‑based payload concealment, creation of services such as MixedSvc, AMSI‑disabling behavior, and network indicators tied to 204.194.48[.]250, kkxqbh[.]top, and 223.26.63[.]40. The campaign's anti‑analysis steps and UAC elevation attempts indicate defenders should combine endpoint telemetry with robust sandboxing and service‑creation detection.
- Tax professionals and corporate finance teams: The campaign uses highly tailored lures — bilingual content and real legal citations — and impersonates the Income Tax Department; any unexpected tax notices with embedded links or ZIP attachments should be treated as high risk during filing season.
- Policymakers and regulators: The operation's timing with the tax‑filing season and its cross‑border infrastructure raise questions about coordinated threat monitoring, information sharing, and the need to alert the taxpayer ecosystem in advance of seasonal phishing waves.
Seqrite's reporting paints Operation DragonReturn as a deliberate, resourced intrusion set that blends classical social engineering with layered technical concealment — from DLL sideloading to image‑based payload storage — and culminates in deployment of a remote access trojan capable of persistent access and data theft. Attribution remains characterized as "suspected China‑aligned" based on infrastructure and overlap with prior campaigns, but the campaign's precision and active payload rotation are the clearest takeaways: targeted tax‑season phishing continues to be an effective vector for long‑term clandestine access.




