Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment
Essential information
- Published
- 26/06/2026 14:50
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- china-nexus dcrat fileless execution income tax impersonation india targeting operation dragonreturn spear-phishing steganography tax infrastructure
- Related entities
- 29 indicators, 12 observables, 1 intrusion sets (apt), 26 techniques (mitre), 1 malware
Description
A sophisticated China-aligned cyber espionage campaign targeting India's tax infrastructure was identified between May and June 2026. The operation impersonates the Income Tax Department, Ministry of Finance, exploiting the AY2026-27 ITR filing season to target corporate entities, tax professionals, chartered accountants, and taxpayers. The attack employs spear-phishing emails with malicious attachments mimicking legitimate government utilities. The multi-stage infection chain deploys DcRAT through steganographic payload concealment, fileless .NET execution, AMSI bypass, and Windows service persistence. The threat actor demonstrates operational maturity through active payload rotation achieving 0/66 detection rates, encrypted TLS-based C2 communications, and infrastructure hosted across multiple ASNs linked to China. The campaign shows overlaps with the China-nexus threat actor Silver Fox, featuring screen capture capabilities, data exfiltration, and systematic intelligence collection from high-value India...