The espionage campaign that takes advantage of the tax fear in India to install a backdoor using legitimate tools

Cybersecurity researchers have identified an active campaign that is exploiting fiscal fear to infect equipment in India with a backdoor in several phases, apparently for espionage purposes. The attackers send emails that simulate reports from the Tax Department on alleged penalties and, when the victim opens the attached file, begins a chain of engagement designed to preserve persistent access and extract sensitive information.

The technical breakdown published by the eSentire team shows that the attack starts with a ZIP file that only shows a visible executable entitled "Inspection Document Review.exe." That executable is using a sideloading technique to load a malicious DLL included in the same package. That DLL incorporates routines to detect analysis and debugging environments, and contact an external server to download the next stage of the attack, which includes shellcode with privilege lifting capabilities.

To scale privileges, the shipper uses a COM-based technique that avoids user account control (UAC) notice and, as a hiding measure, modifies its own process structure - the so-called Process Environment Block ( BEP) - to appear to be the legitimate process of Windows "explor.exe." Thus, it reduces the possibilities of being detected by basic monitoring controls.

The command and control server recovers an Inno Setup installer, named "180.exe" and housed in a suspicious domain. That installer adapts its behavior according to the presence of the Avast process ("AvastUI.exe"); if you detect the antivirus, the malware automates mouse movement and interaction with the Avast interface to add certain files to the exclusions list, rather than trying to disable the protection engine. This trick allows malicious components to avoid detection without drawing attention to obvious changes in the safety product settings.

One of the binaries that is marked as excluded is a utility called "Setup.exe," which writes on disk an executable called "mysetup.exe." This binary is identified as SyncFuture TSM, a commercial remote management tool developed by a Chinese company. In this scenario, attackers are reusing a legitimate remote management product to covert the committed endpoints: record user activity, manage remote tasks and exfilter data with great discretion.

At the same time, the presence of a DLL associated with the Blackmoon family (also known as KRBanker), a banking Trojan that has been transformed and appeared in campaigns against companies in South Korea, the United States and Canada. Blackmoon is an example of how malware families originally oriented to financial fraud evolve into more extensive and flexible sets of capabilities, suitable for espionage.

After the execution of the installer and the start-up of the malicious RMM agent, the campaign also deploys a series of scripts and utilitarians that facilitate persistence: batch files that create custom directories and adjust permissions, scripts that manipulate permissions on user folders and a cleaning one that tries to erase prints. Another executable listed as "MANC.exe" acts as an orchestrator, raising services and enabling a detailed record of the activity. All this seeks to provide the attackers with granular control and a robust channel to maintain long-term access.

The implications of this technical combination are clear: by mixing anti-analysis techniques, privilege raising, DLL sideloading, commercial software abuse and security solution avoidance tactics, actors show both technical capacity and intention to maintain sustained espionage. In addition, the use of legitimate tools as part of the chain complicates detection and attribution, because traffic and processes can be confused with administrative operations accepted by organizations.

To contextualize, Blackmoon is not a new actor; its evolution is documented by firms and industry analysis ( Broadcom, Unit42, Rapid7) and the tactics observed in this operation - directed phishing, exploitation of confidence in legitimate tools, and antivirus evasion - fit with scale intelligence collection campaigns.

The campaign that affected users in India has been documented by eSentire; they describe how the infrastructure and design decisions of the attack chain point to a coordinated and well-prepared operation, although for now there is no public allocation to a particular group ( eSentire report).

From a defence perspective, the threat underlines how dangerous it is to rely on the apparent legitimacy of a file or the supposed institutional origin of a mail. Maintaining digital hygiene practices such as checking tax communications on official channels, avoiding opening attachments of doubtful origin and checking the digital signature of installers can prevent the initial entry of the attack. At the organizational level, measures such as the tightening of application control policies, the monitoring of changes in safety exclusion lists, the segmentation of administrative privileges and the deployment of EDR solutions with the capacity to detect sideloading and PEB handling techniques significantly increase resilience.

It is also important for security teams to investigate any automated interaction with the interface of an antivirus - for example, unusual cursor movements or recent changes to exclusion rules - and to block or quarantine executable from known malicious domains or infrastructures. For those who manage Windows environments, review UAC configurations and control the use of third-party RMM tools can reduce the abuse surface.

The reuse of legitimate software for malicious purposes is not new, but it is gaining relevance: it allows attackers to capitalize on the confidence that managers place in commercial utilities and at the same time makes immediate response difficult. So, beyond patching and updating, the defense goes on to combine technical controls, verification procedures and user training to recognize lures as fraudulent tax notices.

If you want to go into the technical details and the commitment indicators reported, the industry analyses offer useful and verified material: in addition to the eSentire study, you can see Blackmoon's history and technical fact sheets from Broadcom, reports of Unit42 and research Rapid7. For those who need to review specific samples, there are public entries in analysis repositories such as VirusTotal which document some of the components detected.

In a world where attackers combine social engineering and abuse of legitimate tools, the best defense is a mixture of informed skepticism, adequate technical controls and collaboration between security teams and suppliers to share indicators and quickly mitigate new variants.