Subscribe

0

News

Seqrite Income Tax phishing campaign in India exposed

A tax-season phishing wave is targeting businesses with fake compliance notices that deploy remote access malware. The campaign uses image-based emails, forged certificates and stealth techniques to infiltrate corporate networks.

author-image
DQC Bureau
New Update
Seqrite Reveals Key Insights into the Rising Instances of Income Tax

Seqrite Income Tax phishing campaign in India exposed

Seqrite, the enterprise security arm of Quick Heal Technologies Limited, has uncovered an Income Tax-themed phishing campaign targeting Indian businesses during the tax season. The Seqrite Income Tax phishing campaign in India uses fraudulent compliance notices to deliver remote access trojans and gain control over corporate systems.

The threat was identified by researchers at Seqrite Labs, which the company describes as India’s largest malware analysis facility. According to the findings, attackers are exploiting the urgency associated with tax deadlines to deceive employees and infiltrate enterprise environments.

How the campaign operates

The phishing attack begins with a spear-phishing email that appears to originate from the Income Tax Department. The message includes the Government of India emblem, official-looking letterheads and fabricated compliance deadlines.

However, the sender’s address originates from a public Outlook account, indicating it is not an official government communication. The email contains no written text, only an image designed to resemble an authentic tax notice. This tactic is intended to bypass email filters that scan for suspicious keywords.

Attached to the email is a PDF file titled “Review Annexure.pdf,” which claims the recipient has failed to comply with a tax review dated October 3, 2025. The document creates a sense of urgency, pressuring the recipient to take immediate action.

Opening the PDF redirects the victim to a fraudulent compliance portal. The site automatically triggers a forced download of a ZIP file named “Review Annexure.zip.” The portal also advises users to disable antivirus software, a common red flag in malicious campaigns.

Malware deployment and execution

Inside the ZIP archive is a 150MB executable file carrying a digitally signed certificate from “Hengshui Shenwei Technology Co., Ltd.” This certificate is used to create an appearance of legitimacy.

Once executed, the file runs a two-stage NSIS installer. The first stage deletes itself after unpacking the payload, leaving minimal traces. The second stage installs a remote access trojan along with a Windows Real-time Protection Service component.

After installation, the malware collects sensitive system data, including:

  • Operating system details

  • Installed applications

  • Running services

  • Hardware information

  • User activity logs

The stolen data is stored in an encrypted folder and transmitted to command-and-control servers located in China. The attackers use non-standard ports to reduce detection risks.

With remote access established, threat actors can exfiltrate files, monitor user activity, deploy additional malware or launch attacks deeper into the organisation’s network.

Broader threat landscape

The Seqrite Income Tax phishing campaign in India reflects patterns identified in the company’s India Cyber Threat Report 2026. Based on telemetry from more than 8 million endpoints, the report indicates that Trojans account for 43 percent of threats, followed by file infectors at 35 percent and potentially unwanted applications at 6 percent.

Researchers at Seqrite Labs state that such campaigns combine psychological manipulation with technical stealth. A single malicious click can expose an entire corporate network to espionage, data theft or operational disruption.

The report also highlights gaps in data privacy governance, including inadequate controls around data classification and leakage prevention. As enterprises shift toward cloud and hybrid environments, identity misuse and unauthorised data access are emerging as critical risk areas.

Recommended safeguards

Seqrite advises organisations to verify any compliance-related request directly with the Income Tax Department using official contact details from the incometaxindia.gov.in website. Users should avoid clicking on links or downloading attachments from unexpected emails and instead manually enter official URLs into browsers.

Additional recommendations include:

  • Enabling multi-factor authentication for critical accounts

  • Implementing strict email gateway controls

  • Scanning for embedded images and obfuscated code

  • Monitoring identity access and data usage continuously

The Seqrite Income Tax phishing campaign in India underscores how seasonal events can be exploited for targeted cyberattacks. As attackers refine both social engineering tactics and technical execution, enterprises must treat unsolicited compliance communications with caution and strengthen layered security controls across endpoints, identities and data access points.

Read More: 

From AI action to AI impact: Enterprise India faces its moment of truth

AI Impact Summit 2026 in New Delhi: Getting there, the glitches, and the apology that followed

RiskProfiler Asia-Pacific expansion with Viraat Bindra

Advertisment
seqrite