This threat involves a multi-stage phishing campaign that begins with spear-phishing emails impersonating the Indian Income Tax Department, targeting local Indian businesses. The emails contain PDF attachments that direct victims to a counterfeit compliance portal designed to appear legitimate. Upon interaction, the portal triggers the download of a malicious ZIP archive. This archive contains NSIS (Nullsoft Scriptable Install System) installers which execute a complex infection chain. The final payload is a Remote Access Trojan (RAT) that establishes persistence on the infected system by creating services and masquerading as legitimate processes. The RAT harvests detailed system information and maintains communication with command and control (C2) servers to receive commands and exfiltrate data. The campaign employs multiple MITRE ATT&CK techniques including spear-phishing (T1566.001, T1566.002), persistence via service creation (T1543.003), masquerading (T1036), data staging (T1074), and others related to execution, defense evasion, and command and control. Indicators of compromise include a specific file hash (4001854be1ae8e12b6dda124679a4077), IP address (154.91.84.3), and domain (www.akjys.top). Attribution is uncertain but technical evidence points to a China-linked development environment. The campaign exemplifies how social engineering themed around tax compliance can lead to full device compromise and persistent unauthorized access.

For European organizations, the direct impact is limited due to the campaign’s focus on Indian local businesses. However, European companies with subsidiaries, partners, or clients in India could be at risk if employees receive similar phishing emails or if attackers pivot through compromised Indian entities. The RAT’s capabilities for persistent remote access and data harvesting pose significant risks to confidentiality, integrity, and availability of affected systems. Compromise could lead to intellectual property theft, espionage, lateral movement within networks, and potential disruption of business operations. The multi-stage infection chain and use of NSIS installers complicate detection and remediation efforts. Furthermore, the campaign highlights the risk of supply chain or third-party exposure, where European firms connected to Indian businesses might face indirect threats. Overall, this campaign underscores the importance of defending against targeted phishing and malware campaigns exploiting regional tax themes, especially for organizations with cross-border business relationships.

1. Deploy advanced email filtering and sandboxing solutions to detect and block spear-phishing emails, especially those containing PDFs and ZIP files. 2. Conduct targeted security awareness training emphasizing the risks of tax-themed phishing and the importance of verifying unexpected tax-related communications through official channels. 3. Implement Endpoint Detection and Response (EDR) tools capable of detecting NSIS installer execution, persistence mechanisms, and anomalous outbound network connections to suspicious domains or IP addresses. 4. Monitor and block network traffic to known malicious infrastructure such as the domain www.akjys.top and IP 154.91.84.3 at firewall and proxy levels. 5. Enforce application whitelisting to prevent unauthorized execution of installers and unknown binaries. 6. Regularly audit and restrict privileges related to service creation to limit malware persistence opportunities. 7. Maintain up-to-date threat intelligence feeds to stay informed about emerging phishing campaigns and indicators of compromise. 8. Establish and rehearse incident response procedures to quickly isolate and remediate infected systems. 9. For organizations with Indian business ties, implement additional scrutiny on tax-related communications and verify authenticity through official government channels. 10. Use multi-factor authentication and network segmentation to reduce the impact and lateral movement potential of RAT infections.