{
  "name": "Indian Income Tax-Themed Phishing Campaign Targets Local Businesses",
  "slug": "indian-income-tax-themed-phishing-campaign-targets-local-businesses",
  "description": "A sophisticated phishing campaign impersonating the Indian Income Tax Department has been targeting local businesses. The attack begins with a spear-phishing email containing a PDF attachment that directs victims to a fake compliance portal. This triggers the download of a malicious ZIP file, which initiates a multi-stage infection chain. The payload, delivered through NSIS installers, deploys a Remote Access Trojan (RAT) with persistence capabilities. The malware harvests system information and establishes communication with command and control servers. Technical indicators suggest a China-linked development environment. This campaign demonstrates how seemingly simple tax-themed phishing can lead to complete device compromise, emphasizing the need for heightened security awareness.",
  "published": "2025-12-22T16:06:59+00:00",
  "created_at": "2025-12-22T16:06:59+00:00",
  "modified_at": "2025-12-23T08:40:58+00:00",
  "created_at_opencti": "2025-12-22T16:06:59+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-12-22",
    "china-linked",
    "data harvesting",
    "income tax",
    "india",
    "nsis installer",
    "phishing",
    "rat",
    "remote access trojan"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "154.91.84.3"
      },
      {
        "id": "",
        "name": "www.akjys.top"
      },
      {
        "id": "",
        "name": "https://www.akjys.top/"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:ed13acb834e035bc",
        "name": "Remote Access Trojan",
        "slug": "remote-access-trojan"
      }
    ],
    "attack_patterns": [
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "29398669-98ed-4766-9dac-f9632f7175ff",
        "name": "T1518"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/",
    "https://otx.alienvault.com/pulse/69497ab3f381b44007add888"
  ]
}