Researchers at Seqrite Labs have uncovered a multi-stage phishing campaign code-named Operation DragonReturn, targeting Indian taxpayers, tax professionals, and corporate finance departments. First observed on May 18, 2026, the campaign is timed to India’s tax filing season and uses spoofed emails purporting to be from the Income Tax Department to deliver the DCRat remote access trojan. The end goal is to steal credentials, financial information, and systematically exfiltrate data from compromised systems.
Infection chain: from phishing to persistence on the system
The attack begins with targeted phishing emails that mimic notifications from the Indian tax authority about violations and penalties. According to researchers Dixit Panchal and Soumen Burma from Seqrite Labs, the lures contain real legal references and bilingual content, indicating a deliberate and resource-intensive operation. The PDF attachments contain a malicious link leading to a spoofed page that offers to download a ZIP archive masquerading as the official utility for filing returns.
The archive launches a DLL sideloading chain: a legitimate application loads the malicious library nvdaHelperRemote.dll, which injects the payload into memory. The malware then performs the following actions:
- Checks for administrative privileges and, if necessary, triggers a UAC prompt to elevate rights
- Performs checks for analysis environments and sandboxes
- Downloads a JPG image (
lllyd.jpg) from a hard-coded server and saves it asC:\Windows\background.jpg
Steganography and persistence via Windows services
The downloaded image serves as a container for a hidden payload: a 504 KB DLL is extracted from it and written to the C:\Program Files\Windows Media Player\ directory. After extraction, the malware copies itself as Mixed Reality.exe and creates a Windows service named MixedSvc, configured to start automatically when the system boots. This mechanism ensures long-term presence on the infected machine.
The Mixed Reality.exe component deploys two separate modules:
- .NET loader — performs anti-analysis checks, disables Windows AMSI scanning, decrypts and loads DCRat
- Exfiltration module — takes screenshots and sends data to a remote server
Indicators of compromise
According to the research, the following IOCs were recorded:
- Domains:
govtop[.]one,kkxqbh[.]top - IP addresses:
204.194.48[.]250(payload download server),223.26.63[.]40(DCRat C2 server)- Files:
nvdaHelperRemote.dll,lllyd.jpg,Mixed Reality.exe- Windows service:
MixedSvc- IP addresses:
Reportedly, the DCRat C2 server at 223.26.63[.]40 was found hosting a management panel with a Chinese-language interface.
Threat context and links to other campaigns
In parallel with Operation DragonReturn, LevelBlue observed two separate campaigns distributing ValleyRAT, a remote access trojan targeting Chinese- and Japanese-speaking users. One campaign uses fake installers for the LINE messenger, while the other relies on phishing emails with salary adjustment lures.
The attack chain involving fake installers, according to Cybereason, uses the PoolParty Variant 7 injection technique to inject shellcode into the explorer.exe process. This same technique has previously been observed in connection with the SADBRIDGE loader, used to deploy GOSAR — a Go-based implementation of Quasar RAT. According to Elastic Security Labs, the related intrusion set that attacked Chinese-language regions via malicious Telegram and Opera installers was attributed to the REF3864 group.
It is important to stress: attribution of Operation DragonReturn to a specific actor remains speculative. In February 2026, Cybereason researcher Hajime Takai noted that overlaps between the campaigns may point to the same actor, but the evidence is not conclusive. The link between Operation DragonReturn and previously known groups is based on infrastructure indicators and has not been confirmed by independent sources.
Impact assessment
The campaign poses a high risk to India’s tax ecosystem — taxpayers, accountants, tax consultants, and corporate finance departments. Its alignment with the tax filing season increases the likelihood of successful social engineering: victims expect communications from tax authorities and are accustomed to downloading utilities from government portals. The use of real legal citations and bilingual content in the lures indicates a deep understanding of the target audience.
Compromise can lead to the leakage of tax data, financial documentation, user accounts, and corporate secrets. Persistence via a Windows service ensures stable access that can remain undetected for an extended period.
Defensive recommendations
- IOC blocking: immediately add the specified domains, IP addresses, and URLs to blocking rules on firewalls and proxy servers
- Monitoring DLL sideloading: configure detection of
nvdaHelperRemote.dllbeing loaded from non-standard directories, as well as the creation of theMixedSvcservice - File system checks: search for the files
Mixed Reality.exe,C:\Windows\background.jpg, andnvdaHelperRemote.dllin the Windows Media Player directory on workstations - AMSI control: monitor attempts to disable Windows AMSI — this is one of the indicators of loader activity
- Staff training: inform finance and accounting departments that official utilities of India’s Income Tax Department should be downloaded exclusively from the
incometax.gov.inportal, not via links in emails - UAC hardening: consider tightening UAC policies to prevent privilege escalation upon request from malicious software
Organizations working with India’s tax infrastructure should conduct a retrospective search for the listed IOCs in network traffic logs and endpoint event logs starting from May 18, 2026. Detection of any of the indicators requires immediate incident response with isolation of affected hosts and analysis of the extent of compromise — the multi-stage architecture of the campaign means that the presence of a single artifact is highly likely to indicate the full infection chain.