New phishing campaign impersonates India’s Income Tax Department

A targeted operation is delivering AsyncRAT through highly convincing government-themed emails.

What happened

According to reporting by Cyber Security News, Indian organizations have been hit by a phishing campaign that impersonates the Income Tax Department using bilingual notices, official-looking templates, and references to tax law. The messages claim that irregularities were detected and that recipients must submit documents within strict time limits. Attached password-protected ZIP files or links hosted on trusted cloud platforms deliver malware designed to give attackers remote access to corporate systems.

Going deeper

The operation uses a two-stage chain that begins with password-protected attachments to bypass mail filters. Once opened, the files launch executables that load shellcode through regsvr32 to avoid writing detectable artefacts to disk. The malware harvests stored credentials, establishes persistence, and communicates with command servers linked to AsyncRAT. Later waves of the campaign replaced attachments with Google Docs links to deliver the second stage, taking advantage of the trust organizations place in mainstream cloud services. The campaign focused on financial firms and securities businesses that regularly exchange compliance documents with government agencies.

What was said

Security analysts reported that the phishing emails originated from QQ.com accounts that passed authentication checks, helping them slip through defences. Researchers also noted that the combination of clean sender authentication, password protection, and cloud-hosted payloads made the attack difficult for signature-based systems to detect. Raven security teams stated they identified irregularities across the email structure and blocked the campaign before it spread widely among targeted firms. The attackers relied heavily on urgency and legal language to pressure recipients into opening files without verification.

The big picture

According to GBHackers, researchers said the campaign outlines a shift in how phishing is being carried out, noting that it “underscores a critical evolution in phishing tactics targeting Indian businesses.” Attackers are no longer relying on crude lures. Instead, they’re folding “authentic government communication templates” into attacks that also involve advanced malware and misused remote administration tools. Analysts added that as threat actors find new ways to exploit authentication workflows, organizations will need defenses that look at “communication context and behavioral intent rather than relying exclusively on perimeter-based signatures.”

FAQs

Why do attackers use government impersonation in phishing campaigns?

Government notices carry authority and urgency, increasing the likelihood that recipients will open files without questioning the source.

What makes password-protected ZIP phishing effective?

Password protection prevents automated scanners from assessing the contents, allowing malicious files to pass through filters.

Why do attackers use Google Docs or cloud links?

Trusted cloud services are less likely to be blocked, giving attackers an easy way to deliver a second payload.