The discovered campaign targets Indian users through phishing emails that impersonate the Income Tax Department of India, aiming to trick victims into downloading a malicious ZIP archive. This archive contains five files, including an executable named "Inspection Document Review.exe" which sideloads a malicious DLL. This DLL performs anti-debugging checks and contacts a command-and-control server to download the next-stage payload. The malware uses a COM-based technique to bypass the Windows User Account Control (UAC) prompt, gaining administrative privileges without alerting the user. It also modifies its Process Environment Block (PEB) to masquerade as the legitimate "explorer.exe" process, helping it evade detection. The next payload, "180.exe," is a 32-bit installer that detects if Avast Free Antivirus is running and uses automated mouse simulation to add malicious files to Avast's exclusion list, thus bypassing antivirus detection without disabling it. The campaign deploys a variant of the Blackmoon malware family, known for targeting businesses in South Korea, the US, and Canada since 2015. Additionally, it installs SyncFuture TSM, a legitimate enterprise remote monitoring and management tool developed by a Chinese company, repurposed here for espionage. This tool allows attackers to maintain persistent access, monitor user activity in real-time, and exfiltrate sensitive data. Batch scripts modify access control lists and user permissions to maintain control and persistence, while an executable named "MANC.exe" orchestrates services and extensive logging. The campaign blends multiple advanced techniques including anti-analysis, privilege escalation, DLL sideloading, commercial tool repurposing, and antivirus evasion, indicating a high level of sophistication and intent for sustained espionage. No specific threat actor has been attributed, and no known exploits are reported in the wild for this campaign.

For European organizations, the direct impact of this campaign is currently limited due to its targeting of Indian users via tax-themed phishing. However, the use of a sophisticated multi-stage backdoor with advanced evasion and persistence techniques highlights a threat model that could be adapted or extended to European targets, especially those with business ties to India or exposure to similar phishing themes. The repurposing of legitimate enterprise tools for espionage purposes raises concerns about supply chain and software trust risks. If adapted, such malware could enable attackers to gain persistent administrative access, monitor user activities, and exfiltrate sensitive data, potentially compromising confidentiality, integrity, and availability of critical systems. The campaign’s ability to evade antivirus detection and manipulate security software settings increases the risk of prolonged undetected presence in networks. European organizations involved in finance, government, or sectors with strategic interest to threat actors employing espionage tactics should be vigilant. The campaign also underscores the need for heightened awareness of phishing threats exploiting local tax authorities or similar trusted entities, which could be mirrored in European contexts.

European organizations should implement targeted phishing awareness training that includes scenarios mimicking local tax authority impersonations to reduce the risk of initial compromise. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting DLL sideloading, process masquerading, and unusual privilege escalation behaviors. Monitor for unusual modifications to antivirus exclusion lists and automated interactions with security software interfaces, which may indicate malware attempting to evade detection. Restrict the use of legitimate remote monitoring and management (RMM) tools, ensuring they are deployed only from trusted sources and monitored for anomalous behavior. Employ application whitelisting to prevent unauthorized executables and scripts from running, especially those attempting to modify access control lists or user permissions. Regularly audit system permissions and ACLs for unexpected changes. Network segmentation and strict egress filtering can limit malware communication with command-and-control servers. Finally, maintain up-to-date threat intelligence feeds to detect emerging variants of Blackmoon or similar malware families and adjust defenses accordingly.