A fresh cyber espionage campaign linked to the Blackmoon malware is targeting users across India by abusing trust in official tax related communication. Attackers are sending phishing emails that closely resemble messages from the Income Tax Department of India, prompting recipients to download a ZIP file disguised as a tax penalty notice.
According to a cybersecurity firm, the campaign delivers a multi stage backdoor that allows long term surveillance of compromised systems. The final payload includes a variant of the Blackmoon banking trojan, also known as KRBanker, along with SyncFuture TSM, a legitimate enterprise monitoring tool developed by a Chinese company. The campaign has not been attributed to any known threat actor. “While marketed as a legitimate enterprise tool, it is repurposed in this campaign as a powerful, all in one espionage framework,” the firm said.
The malicious ZIP archive contains 5 files, with only one visible executable named Inspection Document Review.exe. This file is used to sideload a hidden malicious DLL that checks for debugging delays and connects to an external server to retrieve the next stage payload. The downloaded shellcode bypasses User Account Control using a COM based technique to gain administrative privileges. To evade detection, the malware modifies its own Process Environment Block to impersonate the legitimate Windows explorer.exe process.
The attack then downloads another installer from the eaxwwyr.cn domain. If Avast Free Antivirus is detected, the malware avoids disabling it and instead simulates mouse movements to add malicious files to the exclusion list. This behavior is linked to a Blackmoon malware variant. The excluded file drops SyncFuture TSM, enabling remote access, user activity monitoring, and data exfiltration. Additional components modify folder permissions, alter access rights, perform cleanup actions, and deploy an orchestration tool called MANC.exe for service control and detailed logging. “It provides them with the tools to not only steal data but to maintain granular control over the compromised environment, monitor user activity in real time, and ensure their own persistence,” the firm said.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
