Indian users are being targeted in an ongoing phishing operation that delivers a stealthy backdoor linked to a suspected cyber-espionage campaign, according to a report by The Hacker News.
Cybersecurity researchers from the eSentire Threat Response Unit (TRU) have identified the activity, which reportedly uses fraudulent emails impersonating India's Income Tax Department to lure victims into opening malicious files. The emails claim to relate to tax penalties, a tactic designed to trigger urgency and prompt quick action.
As per the report, the phishing messages contain a ZIP archive that, once downloaded, initiates a multi-stage infection process. The ultimate objective of the campaign is to deploy a variant of the Blackmoon banking trojan - also known as KRBanker - alongside a legitimate enterprise management tool called SyncFuture Terminal Security Management (TSM), developed by Chinese firm Nanjing Zhongke Huasai Technology Co., Ltd.
Researchers noted that while SyncFuture TSM is marketed as a lawful business product, it is reportedly being misused in this campaign as 'a powerful, all-in-one espionage framework'. Cited in the report, eSentire said, "By deploying this system as their final payload, the threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information."
How the attack reportedly works
According to the report, the ZIP file distributed through fake tax notices contains five hidden components, with only one visible executable labelled "Inspection Document Review.exe". When opened, this file secretly loads malicious code embedded within the archive.
The malware then reportedly connects to an external server to download additional components and attempts to gain elevated system privileges while disguising itself as a legitimate Windows process to avoid raising suspicion.
Further stages involve retrieving another installer from a remote domain. If antivirus software such as Avast Free Antivirus is detected, the malware reportedly avoids disabling it. Instead, it uses automated actions to add its own files to the antivirus exclusion list, allowing it to operate undetected.
At the centre of this behaviour is a DLL assessed to be part of the Blackmoon malware family - a threat first observed in 2015 and previously linked to attacks on organisations in South Korea, the United States, and Canada.
Once exclusions are in place, the attackers reportedly deploy SyncFuture TSM, granting them remote access capabilities, activity monitoring functions, and data exfiltration features.
Maintaining long-term control
The report further states that additional scripts and executables are installed to strengthen persistence. These include tools that modify system permissions, create custom directories, log user behaviour, and manage multiple background services.
Cited in the report, eSentire said "It provides them with the tools to not only steal data but to maintain granular control over the compromised environment, monitor user activity in real-time, and ensure their own persistence."
It further continued, "By blending anti-analysis, privilege escalation, DLL sideloading, commercial-tool repurposing, and security-software evasion, the threat actor demonstrates both capability and intent."