Threats Tagged 't1010'

A sophisticated China-aligned cyber espionage campaign targeting India's tax infrastructure was identified between May and June 2026. The operation impersonates the Income Tax Department, Ministry of Finance, exploiting the AY2026-27 ITR filing season to target corporate entities, tax professionals, chartered accountants, and taxpayers. The attack employs spear-phishing emails with malicious attachments mimicking legitimate government utilities. The multi-stage infection chain deploys DcRAT through steganographic payload concealment, fileless .NET execution, AMSI bypass, and Windows service persistence. The threat actor demonstrates operational maturity through active payload rotation achieving 0/66 detection rates, encrypted TLS-based C2 communications, and infrastructure hosted across multiple ASNs linked to China. The campaign shows overlaps with the China-nexus threat actor Silver Fox, featuring screen capture capabilities, data exfiltration, and systematic intelligence collection from high-value India...

MediumMalwareBritish Indian Ocean TerritoryIndia#china-nexus#income tax impersonation#spear-phishing

In April 2026, threat actors deployed Nimbus RAT against a legal industry target using Microsoft Teams voice phishing. The attack began with email bombing (282 emails in 90 minutes), followed by a fake IT helpdesk contact via Teams who convinced the victim to grant Quick Assist remote access. Within 20 minutes, a Java-based RAT was deployed that uses Google Drive and Google Sheets for command-and-control, making network traffic appear benign. Analysis of 1,540 suspicious Teams messages across 172 customer environments over 12 months revealed 65% originated from throwaway onmicrosoft.com tenants with IT-themed names. The malware bundles its own Java runtime, implements two credential theft mechanisms, and allows in-memory second-stage code execution. Post-compromise targeting included Signal Desktop attachments and Outlook mailboxes.