As tax season gains momentum, a new wave of cyberattacks is targeting taxpayers across India. Cybercriminals are impersonating the Income Tax Department India to launch phishing campaigns that deliver dangerous malware through fake notices and compliance warnings.
The campaign, active since October 2025, mainly targets multinational organisations based in the UK and the US with operations in India. It was identified by Mimecast’s Threat Research team, which found that attackers are using highly deceptive methods to gain long-term access to systems and steal sensitive data.
Victims receive emails claiming serious violations under Section 271(1)(c) of the Income Tax Act, accusing them of concealing income or filing incorrect returns. These emails create urgency, asking users to review the issue within 72 hours through a link.
Clicking the link redirects users to fake government websites that closely resemble official portals, often available in Hindi and English. These pages include a “Download Documents” option. Once clicked, a malicious Visual Basic script is downloaded, which silently installs malware on the system.
The attack uses multiple stages, including NSIS droppers and password-protected ZIP files, to install Remote Access Trojans (RATs). One commonly used malware is the XRed trojan, active since 2019. It allows attackers to log keystrokes, steal credentials for email, banking, and cryptocurrency accounts, and collect system details such as username, MAC address, and device name.
The malware also enables remote control, allowing attackers to capture screenshots, access files, and execute commands. It ensures persistence by modifying Windows Registry settings and uses a mutex named “Synaptics2X” to avoid duplication. It can also spread through USB drives using autorun files.
The operation runs through multiple fake domains, including zyisykm[.]shop, googlevip[.]shop, dadasf[.]qpon, googleaxc[.]shop, and googlem[.]com. These domains mimic official websites, making detection difficult.
Authorities, including the Income Tax Department and Press Information Bureau, have warned that official agencies never ask for passwords, OTPs, or bank details via email, SMS, or calls. Genuine tax notices are only available through the official e-filing portal.
Users are advised to avoid clicking suspicious links, verify information directly on official platforms, and use updated antivirus protection. Organisations should also strengthen email filtering and train employees to identify phishing attempts.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
