Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware
Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware
https://thehackernews.com/2026/01/indian-users-targeted-in-tax-phishing.html
Publish Date: 2026-01-26 12:01:00
Source Domain: thehackernews.com
Cybersecurity researchers have discovered an ongoing campaign that’s targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage campaign.
The activity, per the eSentire Threat Response Unit (TRU), involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat actors persistent access to their machines for continuous monitoring and data exfiltration.
The end goal of the sophisticated attack is to deploy a variant of a known banking trojan called Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM (Terminal Security Management) that’s developed by Nanjing Zhongke Huasai Technology Co., Ltd, a Chinese company. The campaign has not been attributed to any known threat actor or group.
“While marketed as a legitimate enterprise tool, it is repurposed in this campaign as a powerful, all-in-one espionage framework,” eSentire said. “By deploying this system as their final payload, the threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information.”
The ZIP file distributed through the fake tax penalty notices contains five different files, all of which are hidden except for an executable (“Inspection Document Review.exe”) that’s used to sideload a malicious DLL present in the archive. The DLL, for its part, implements checks to detect debugger-induced delays and contacts an external server to fetch the next-stage payload.
The downloaded shellcode then uses a COM-based technique to bypass the User Account Control (UAC) prompt to gain administrative privileges. It also modifies its own Process Environment Block (PEB) to masquerade as the legitimate Windows “explorer.exe” process to fly under the radar.
On top of that, it retrieves the next stage “180.exe” from…
