Indian Income Tax-Themed Phishing Campaign Targets Local Businesses
A sophisticated phishing campaign impersonates the Indian Income Tax Department to target local businesses via spear-phishing emails containing malicious PDF attachments. These attachments redirect victims to a fake compliance portal, triggering the download of a malicious ZIP file that initiates a multi-stage infection chain. The payload, delivered through NSIS installers, installs a Remote Access Trojan (RAT) with persistence capabilities, enabling attackers to harvest system information and maintain command and control communications. Technical indicators link the malware development environment to China. Although primarily targeting Indian businesses, the campaign highlights risks of tax-themed phishing leading to full device compromise. No CVSS score is available; the threat is assessed as medium severity due to the complexity and impact of the infection chain. European organizations should be aware of potential spillover risks, especially those with business ties to India or handling Indian tax-related data.
AI Analysis
Technical Summary
This threat involves a targeted phishing campaign that impersonates the Indian Income Tax Department to deceive local businesses into opening spear-phishing emails containing PDF attachments. These PDFs direct victims to a counterfeit compliance portal designed to appear legitimate, which then triggers the download of a malicious ZIP archive. The ZIP file contains NSIS (Nullsoft Scriptable Install System) installers that execute a multi-stage infection chain culminating in the deployment of a Remote Access Trojan (RAT). This RAT establishes persistence on the infected system, enabling continuous unauthorized access. It harvests detailed system information and communicates with command and control (C2) servers to receive instructions and exfiltrate data. The infection chain leverages multiple MITRE ATT&CK techniques such as spear-phishing (T1566.002, T1566.001), persistence via service creation (T1543.003), masquerading (T1036), and data staging (T1074). Indicators of compromise include a specific file hash (4001854be1ae8e12b6dda124679a4077), an IP address (154.91.84.3), and a malicious domain (www.akjys.top). Attribution is uncertain, but technical evidence suggests a China-linked development environment. The campaign exemplifies how tax-themed social engineering can lead to full device compromise, emphasizing the need for vigilance against targeted phishing attacks.
Potential Impact
For European organizations, the direct impact may be limited due to the campaign’s focus on Indian local businesses. However, European companies with subsidiaries, partners, or clients in India could be at risk if employees receive similar phishing emails or if attackers pivot through compromised Indian entities. The RAT’s capabilities for persistent remote access and data harvesting pose significant risks to confidentiality, integrity, and availability of affected systems. Compromise could lead to intellectual property theft, espionage, or lateral movement within networks. Additionally, the use of sophisticated multi-stage infection chains increases the difficulty of detection and remediation. The campaign also highlights the broader threat of supply chain or third-party risk, where European firms connected to Indian businesses might face indirect exposure. Overall, the threat underscores the importance of defending against targeted phishing and malware campaigns that exploit regional tax themes.
Mitigation Recommendations
1. Implement advanced email filtering and sandboxing to detect and block spear-phishing emails and malicious attachments, especially PDFs and ZIP files. 2. Conduct targeted security awareness training focusing on tax-themed phishing and spear-phishing tactics, emphasizing verification of unexpected tax-related communications. 3. Employ endpoint detection and response (EDR) solutions capable of identifying NSIS installer usage, persistence mechanisms, and unusual outbound network connections to suspicious domains or IPs. 4. Monitor network traffic for communications to known malicious infrastructure such as the domain www.akjys.top and IP 154.91.84.3, and block these at the firewall or proxy level. 5. Enforce application whitelisting to prevent unauthorized execution of installers and unknown binaries. 6. Regularly audit and restrict service creation privileges to limit persistence opportunities for malware. 7. Maintain up-to-date threat intelligence feeds to detect emerging phishing campaigns and indicators of compromise. 8. Establish incident response procedures to quickly isolate and remediate infected systems. 9. For organizations with Indian business ties, implement additional scrutiny on tax-related communications and verify authenticity through official channels. 10. Use multi-factor authentication and network segmentation to reduce the impact of potential RAT infections.
Affected Countries
United Kingdom, Germany, France, Netherlands, Italy, Spain
Indicators of Compromise
- hash: 4001854be1ae8e12b6dda124679a4077
- ip: 154.91.84.3
- url: https://www.akjys.top/
- domain: www.akjys.top
Indian Income Tax-Themed Phishing Campaign Targets Local Businesses
Description
A sophisticated phishing campaign impersonates the Indian Income Tax Department to target local businesses via spear-phishing emails containing malicious PDF attachments. These attachments redirect victims to a fake compliance portal, triggering the download of a malicious ZIP file that initiates a multi-stage infection chain. The payload, delivered through NSIS installers, installs a Remote Access Trojan (RAT) with persistence capabilities, enabling attackers to harvest system information and maintain command and control communications. Technical indicators link the malware development environment to China. Although primarily targeting Indian businesses, the campaign highlights risks of tax-themed phishing leading to full device compromise. No CVSS score is available; the threat is assessed as medium severity due to the complexity and impact of the infection chain. European organizations should be aware of potential spillover risks, especially those with business ties to India or handling Indian tax-related data.
AI-Powered Analysis
Technical Analysis
This threat involves a targeted phishing campaign that impersonates the Indian Income Tax Department to deceive local businesses into opening spear-phishing emails containing PDF attachments. These PDFs direct victims to a counterfeit compliance portal designed to appear legitimate, which then triggers the download of a malicious ZIP archive. The ZIP file contains NSIS (Nullsoft Scriptable Install System) installers that execute a multi-stage infection chain culminating in the deployment of a Remote Access Trojan (RAT). This RAT establishes persistence on the infected system, enabling continuous unauthorized access. It harvests detailed system information and communicates with command and control (C2) servers to receive instructions and exfiltrate data. The infection chain leverages multiple MITRE ATT&CK techniques such as spear-phishing (T1566.002, T1566.001), persistence via service creation (T1543.003), masquerading (T1036), and data staging (T1074). Indicators of compromise include a specific file hash (4001854be1ae8e12b6dda124679a4077), an IP address (154.91.84.3), and a malicious domain (www.akjys.top). Attribution is uncertain, but technical evidence suggests a China-linked development environment. The campaign exemplifies how tax-themed social engineering can lead to full device compromise, emphasizing the need for vigilance against targeted phishing attacks.
Potential Impact
For European organizations, the direct impact may be limited due to the campaign’s focus on Indian local businesses. However, European companies with subsidiaries, partners, or clients in India could be at risk if employees receive similar phishing emails or if attackers pivot through compromised Indian entities. The RAT’s capabilities for persistent remote access and data harvesting pose significant risks to confidentiality, integrity, and availability of affected systems. Compromise could lead to intellectual property theft, espionage, or lateral movement within networks. Additionally, the use of sophisticated multi-stage infection chains increases the difficulty of detection and remediation. The campaign also highlights the broader threat of supply chain or third-party risk, where European firms connected to Indian businesses might face indirect exposure. Overall, the threat underscores the importance of defending against targeted phishing and malware campaigns that exploit regional tax themes.
Mitigation Recommendations
1. Implement advanced email filtering and sandboxing to detect and block spear-phishing emails and malicious attachments, especially PDFs and ZIP files. 2. Conduct targeted security awareness training focusing on tax-themed phishing and spear-phishing tactics, emphasizing verification of unexpected tax-related communications. 3. Employ endpoint detection and response (EDR) solutions capable of identifying NSIS installer usage, persistence mechanisms, and unusual outbound network connections to suspicious domains or IPs. 4. Monitor network traffic for communications to known malicious infrastructure such as the domain www.akjys.top and IP 154.91.84.3, and block these at the firewall or proxy level. 5. Enforce application whitelisting to prevent unauthorized execution of installers and unknown binaries. 6. Regularly audit and restrict service creation privileges to limit persistence opportunities for malware. 7. Maintain up-to-date threat intelligence feeds to detect emerging phishing campaigns and indicators of compromise. 8. Establish incident response procedures to quickly isolate and remediate infected systems. 9. For organizations with Indian business ties, implement additional scrutiny on tax-related communications and verify authenticity through official channels. 10. Use multi-factor authentication and network segmentation to reduce the impact of potential RAT infections.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/"]
- Adversary
- null
- Pulse Id
- 69497ab3f381b44007add888
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash4001854be1ae8e12b6dda124679a4077 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip154.91.84.3 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://www.akjys.top/ | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainwww.akjys.top | — |
Threat ID: 694a5f2d033f6f66d772eb0d
Added to database: 12/23/2025, 9:21:49 AM
Last enriched: 12/23/2025, 9:37:16 AM
Last updated: 12/23/2025, 10:39:57 PM
Views: 32
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
New MacSync Stealer Disguised as Trusted Mac App Hunts Your Saved Passwords
Medium2025 Holiday Scams: Docusign Phishing Meets Loan Spam
MediumRansomware Hits Romanian Water Authority, 1000 Systems Knocked Offline
MediumTrial, Error, and Typos: Why Some Malware Attacks Aren't as 'Sophisticated' as You Think
MediumMacSync Stealer Evolves: From ClickFix to Code-Signed Swift Malware
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.