Indian taxpayers opened their inboxes this spring to find urgent warnings from what looked like the Income Tax Department. Pay your dues or face penalties. Click here to download the official utility and file before the deadline. But the links led not to relief but to a sophisticated infection chain that ultimately dropped a remote access trojan on their machines.
The campaign, which began appearing in mid-May 2026, shows a level of tailoring that stands out even among state-aligned operations. Attackers crafted bilingual lures complete with accurate legal citations. They timed the emails to coincide with peak filing season. And they rotated payloads actively to stay ahead of detection. Seqrite Labs researchers Dixit Panchal and Soumen Burma described the effort as “deliberate, resourced, and sustained.”
The security firm gave the activity the name Operation DragonReturn. Its targets span ordinary taxpayers, tax professionals, and finance teams inside corporations. The apparent aim mixes financial theft with broader data collection. Yet the technical sophistication and infrastructure point strongly toward actors aligned with China.
Here’s how the attack unfolds. A spear-phishing email arrives with a PDF attachment. Inside sits a link to govtop[.]one/incometax. Visitors reach a convincing page that urges them to download a ZIP file. The archive contains what seems to be the legitimate offline utility published by the Income Tax Department. In truth it sideloading a malicious DLL named nvdaHelperRemote.dll. That library injects further code into memory.
The payload first checks for administrative rights. If absent it prompts the user via User Account Control. Next come anti-analysis routines designed to thwart sandboxes and virtual machines. Only then does the code reach out to a hardcoded server at 204.194.48[.]250. It pulls down an image file called lllyd.jpg. This ordinary-looking JPEG actually hides the next stage payload.
Seqrite’s analysis shows the image serves as a container. From it the malware extracts a 504-kilobyte DLL and writes it to C:\Program Files\Windows Media Player\nvdaHelperRemote.dll. The original binary renames itself Mixed Reality.exe. It then creates a Windows service called MixedSvc that starts automatically on boot. Persistence achieved. Long-term access secured. The entire sequence relies on image-based concealment and legitimate-looking service names to blend in.
Once established the Mixed Reality component deploys one of two possible follow-on payloads. The first acts as a .NET loader. It disables Windows Antimalware Scan Interface, performs additional evasion checks, and decrypts DcRAT in memory. The second focuses on screenshots and data exfiltration to a command server at kkxqbh[.]top. DcRAT itself has a long history as a versatile backdoor sold in underground markets but frequently adopted by advanced groups.
Infrastructure clues reinforce the China connection. Several IP addresses trace to ChinaNet. The DcRAT command-and-control panel at 223.26.63[.]40 presents a Chinese-language interface. Overlaps exist with Silver Fox, a Chinese cybercrime outfit previously tied to tax-themed phishing that delivers ValleyRAT. Those common tactics, techniques, and procedures suggest either collaboration or shared tooling among actors operating in the same region.
But this isn’t an isolated incident. Recent reporting reveals a broader pattern of China-linked operators exploiting trust in routine business and government processes. Google’s Threat Intelligence Group documented how groups tracked as UNC1549 and UNC6446 have used spoofed job portals and fake job offers since at least 2022 to target the defense industrial base. The actors send malicious resumes or assessment tools that deliver malware once opened.
The Five Eyes intelligence alliance issued a public alert in early June 2026 highlighting exactly this tactic. Chinese spies create fake profiles on LinkedIn, Indeed, and Upwork. They pose as recruiters offering high-paying defense or foreign policy roles. The goal remains the same: extract sensitive information or plant malware on the computers of cleared personnel. The FBI followed up by seizing 13 domains used in one such recruitment scheme. “China’s intelligence services are using fake job offers to target current and former U.S. government employees,” the Department of Justice stated in its announcement.
Similar patterns appear in Southeast Asia and beyond. Palo Alto Networks Unit 42 noted in its 2026 Global Incident Response Report that Chinese-nexus activity continues to emphasize long-term access and data exfiltration. The report highlights a shift away from purely email-based espionage toward deeper network compromises. Some operations now experiment with AI-assisted reconnaissance and evasion, though the core social engineering remains stubbornly human.
Tax-themed lures carry special weight in India. Citizens and businesses file returns under tight annual deadlines. A message claiming violations or penalties triggers immediate anxiety. Attackers counted on that reaction. They mirrored the look and language of genuine government communications. The result was a higher click rate than generic phishing would achieve. And once inside a victim’s machine the malware doesn’t simply steal banking details. It can capture screenshots, log keystrokes via DcRAT, and exfiltrate files of interest to intelligence collectors.
Security teams tracking these intrusions see clear evolution. Earlier campaigns from similar actors relied on straightforward malicious attachments. Today’s versions chain multiple stages, hide payloads inside images, and abuse Windows services for stealth. The use of a legitimate-sounding executable name like Mixed Reality.exe adds psychological cover. Users scanning their program list might dismiss it as benign software related to augmented reality features.
Yet attribution remains probabilistic. Seqrite stops short of naming a specific group. Instead it points to tactical similarities with Silver Fox and the presence of Chinese infrastructure. That caution reflects the reality of modern threat intelligence. Many operations blend state direction with contractor execution or outright criminal partnerships. The lines blur. The impact does not.
Organizations defending against these threats face a difficult balance. Blocking every suspicious email risks disrupting legitimate tax and recruitment communications. Educating users helps but proves insufficient against well-crafted lures that exploit real deadlines and real fears. Technical controls such as application allow-listing, strict DLL loading policies, and network segmentation offer stronger protection. So does hunting for the specific indicators Seqrite published: the malicious domains, the JPEG staging server, the MixedSvc service name.
The campaign also underscores a larger strategic shift. China-aligned actors increasingly target sectors that process sensitive financial or personal data. Tax records can reveal business relationships, investment patterns, and individual vulnerabilities useful for both espionage and influence operations. Corporate finance teams hold spreadsheets that map supply chains or intellectual property valuations. Once compromised those datasets travel quickly to servers in China.
Recent weeks brought additional warnings. HackRead reported on the Five Eyes advisory detailing how fake job advertisements now serve as primary vectors against military and government staff. The advisory explicitly calls out the use of research group personas and vague consulting gigs that promise substantial pay for minimal work. Recipients who engage often receive follow-up documents that install backdoors.
Defenders inside Indian government ministries and private firms have begun sharing indicators from Operation DragonReturn. Some report isolated infections already detected in corporate environments. Others note the campaign’s focus on tax professionals who serve multiple clients. A single compromised accountant could expose dozens of high-value targets indirectly.
The timing feels deliberate. India’s digital economy continues rapid expansion. More citizens file taxes online each year. Government pushes for paperless compliance. Threat actors simply ride that wave, turning routine bureaucratic processes into infection opportunities. Similar tactics have succeeded against other nations’ revenue services in the past. The difference here lies in the precision and the suspected end goal of sustained intelligence collection rather than pure financial fraud.
Seqrite’s researchers emphasized one point above all. This activity shows clear signs of planning and resources. The bilingual content, the accurate citations, the payload rotation. None of that happens without investment. And that investment suggests the operators expect significant returns in the form of stolen data or persistent footholds inside Indian networks.
Companies and individuals alike now confront a reality where even the most mundane government interaction carries risk. A tax filing reminder. A job posting. Both can conceal code that opens the door to remote control. The hackers don’t need zero-days or exotic exploits. They succeed by understanding human behavior during moments of stress or ambition. And they keep succeeding because that understanding runs deeper than most defenses anticipate.
Whether this particular cluster belongs to Silver Fox, another named group, or an untracked contractor matters less than the pattern it reveals. China-nexus operators have integrated fake government communications and fake employment opportunities into a single playbook. They adapt the lure to the victim’s context. They refine the delivery. They maintain access long after the initial click fades from memory. Security teams that treat these incidents as isolated phishing misses miss the larger campaign.
The full scope of data stolen through Operation DragonReturn may never become public. But the technical details Seqrite disclosed provide a roadmap for detection. Organizations should scan for the known domains, the specific service creation events, and anomalous JPEG downloads from unusual IP ranges. More importantly they should reassess how they verify communications from tax authorities and recruiters alike. In both cases a moment of skepticism before downloading or engaging can prevent months of cleanup.
As tax season winds down in India the emails may slow. The infrastructure will likely shift. New lures will appear, perhaps tied to refunds or audits. The actors behind them have demonstrated patience and adaptability. Their targets, from individual filers to corporate finance departments, cannot afford to match that patience with complacency.


WebProNews is an iEntry Publication