Published: · Region: Asia-Pacific · Category: cyber

Suspected China-Linked Hackers Target Indian Taxpayers in Stealthy Campaign, Exposing Financial System Weakness

A suspected China-nexus hacking group is impersonating India’s Income Tax Department in a sophisticated phishing campaign against taxpayers, chartered accountants and corporate finance teams. By hiding malware inside fake e-filing tools, the operation turns routine tax compliance into a cyber-risk and tests how well India can protect its financial data from foreign cyber probes.

Indian taxpayers and finance professionals are being drawn into a new kind of cross‑border contest, as suspected China‑linked hackers weaponise the country’s tax season with convincing but malicious emails that masquerade as official communication from the Income Tax Department.

Cybersecurity researchers have identified an ongoing campaign dubbed “Operation DragonReturn” that sends carefully crafted phishing emails to individual taxpayers, tax professionals and corporate finance departments. The messages direct recipients to download what appears to be an official tax‑filing utility. Instead, they are delivered malware through a chain of techniques designed to defeat routine security checks.

According to technical reporting on the campaign, the fake e‑filing tool abuses DLL sideloading — a method of tricking legitimate software into loading a malicious library — and conceals its payload inside image files, which are less likely to arouse suspicion during simple scans. The ultimate malware identified in the operation includes DCRat, a remote‑access tool that allows attackers to monitor infected machines, exfiltrate data and potentially pivot deeper into corporate or government networks connected to those systems.

Attribution remains formally unconfirmed, but indicators such as infrastructure overlaps and tooling have led researchers to describe the campaign as having a suspected China nexus. No government has publicly named or sanctioned a specific group in connection with DragonReturn, leaving the diplomatic dimension of the operation in a grey zone. For the targets, that nuance matters less than the practical consequences: financial data, identification documents and sensitive corporate records sitting on machines used for tax filing are at risk of exposure.

For ordinary taxpayers, the immediate danger is identity theft and the compromise of PAN details, bank account information and other personal data that pass through tax forms and supporting documents. For chartered accountants and in‑house finance teams, the stakes are higher still: their workstations often have access to multiple client files, internal ledgers, and in some cases, direct links into corporate banking portals. A single successful compromise in a busy tax office can open a window on dozens of companies at once.

Strategically, the campaign probes the resilience of India’s broader financial and administrative ecosystem. The tax system sits at the intersection of citizens, businesses and the state; if adversaries can reliably infiltrate that layer, they gain insight not only into private finances but also into sector‑wide health, investment flows and, potentially, government procurement patterns. For New Delhi, which has sought to harden critical infrastructure against foreign cyber operations, the use of convincing state‑branded lures underscores how humans, not just servers, are now the attack surface.

The operation also comes as India’s digital public infrastructure — from payments rails to identity systems — has become a model for many emerging economies and a strategic asset in its own right. That visibility makes Indian platforms an attractive target for foreign intelligence and financially motivated hackers alike. The question is no longer whether adversaries will try to ride on the back of trusted government brands, but how often they will succeed and how quickly those intrusions will be detected and contained.

Key indicators to watch next include any advisories or technical countermeasures issued by India’s tax authorities and cyber agencies, evidence that DragonReturn has expanded beyond tax-themed lures into other government-branded campaigns, and whether India’s partners quietly raise the issue of suspected state-linked cyber operations in bilateral talks with Beijing.

Sources