Operation DragonReturn: DcRAT Targets India Tax Professionals

China-nexus Operation DragonReturn deploys DcRAT via a cloned Indian tax utility, targeting tax professionals and accountants during India's filing season.
Table of Contents
    Add a header to begin generating the table of contents

    Seqrite Labs disclosed Operation DragonReturn, a China-nexus cyber espionage campaign that distributes a trojanized clone of an official Indian government income tax filing utility to deploy the DcRAT remote access trojan against Indian tax professionals, chartered accountants, and corporate accounting staff. The campaign has run continuously since it was first observed, with all confirmed victims located in India.

    Operation DragonReturn’s ITR Filename Clone: How the Lure Reaches Tax Professionals

    The campaign’s distribution mechanism exploits the timing and naming conventions of India’s annual tax return filing period. The malicious archive is named “Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip” — an exact copy of the filename used by India’s Income Tax Department for its official AY2026-27 offline filing utility. The filename match is not approximate; it duplicates the government tool’s name character for character, designed to intercept users who are actively searching for the legitimate utility at the peak of their need for it.

    The targeting logic is precise. Chartered accountants, corporate tax departments, and individual taxpayers managing AY2026-27 filings are specifically seeking this class of tool during the active filing season, making them highly susceptible to a cloned download that arrives at the exact moment they would legitimately be looking for it.

    Operation DragonReturn’s India-Exclusive Victim Profile and Active Campaign Timeline

    Seqrite first observed Operation DragonReturn activity on May 18, 2026. Through the firm’s analysis checkpoint, all victim submissions confirmed exclusively Indian origin — consistent with the campaign’s focus on domestic Indian taxpayers and the professional accounting sector serving Indian corporations. The operation remained fully active at the time of Seqrite’s July 6 disclosure, meaning Indian corporate and professional taxpayers continue to face live risk throughout the ongoing filing season.

    DcRAT Delivery via Mixed Reality.exe: Anti-Analysis, AMSI Bypass, and Dual Payloads

    The malicious archive contains a binary named “Mixed Reality.exe” that acts as the initial-stage loader. When executed, it deploys two payloads simultaneously rather than the government software the victim expected. The dual-payload design gives the operator both passive data collection and active remote access from a single execution event.

    The first payload is a .NET loader that performs anti-analysis environment checks before proceeding — a technique intended to detect sandboxes and automated malware analysis systems and terminate execution if they are present. Once past the anti-analysis checks, the loader establishes persistence on the infected system, disables Windows AMSI (Antimalware Scan Interface) scanning, then decrypts and executes DcRAT. The AMSI bypass is significant: Windows Defender and compatible security products that rely on the AMSI interface for in-memory .NET code inspection are neutralized before DcRAT launches, reducing the likelihood of detection at the point of payload execution.

    The second payload runs concurrently and independently of DcRAT: it captures screenshots from the compromised system and exfiltrates them to a separate remote server. This component provides the attacker with passive visual intelligence about the victim’s activity — including any tax documents, client data, or financial records displayed on screen — without requiring active interactive access through DcRAT.

    ChinaNet Infrastructure and the Exposed DcRAT Management Panel

    Attribution to a Chinese threat cluster rests on technical infrastructure evidence. Seqrite’s analysis identified that campaign command-and-control servers operate on ChinaNet IP address ranges — the infrastructure of China’s state-operated internet backbone. More directly, an exposed web management panel for the DcRAT C2 server displayed a Chinese-language interface, giving researchers visibility into the backend and further corroborating origin. Tactical analysis also identified overlaps with Silver Fox, a Chinese cybercrime group previously associated with ValleyRAT deployments in tax-themed phishing campaigns — making Operation DragonReturn a documented geographic expansion of an established targeting pattern.

    DcRAT itself provides the attacker with arbitrary command execution, file system access, credential theft, and persistent backdoor access to any system it reaches. A successful infection on a chartered accountant’s workstation provides access to the client’s tax filings, financial records, and corporate data spanning the accountant’s entire client base — making each individual professional a high-value target whose compromise potentially affects dozens of corporate victims.

    The convergence of an exact filename match to a high-demand government tool, a technically capable multi-component malware package, and persistent infrastructure that has operated through months of Indian filing season activity indicates a campaign structured for sustained intelligence collection from India’s corporate tax professional sector rather than opportunistic mass infection.

    Related Posts