Indian Users Targeted in Tax Phishing Campaign Delivering Blackmoon Malware

India’s tax filing season creates a fertile ground for social engineering, and this latest campaign exploits that timing with convincingly forged Income Tax Department notices. By embedding a malicious ZIP archive in the email, attackers lure victims into executing a hidden executable that initiates a chain of payloads. This approach mirrors a broader trend where threat actors blend credential‑phishing with supply‑chain‑style abuse, turning routine administrative communications into vectors for deep‑system infiltration.

Technically, the operation is notable for its layered evasion tactics. The initial DLL sideloading bypasses traditional signature checks, while a COM‑based UAC bypass grants administrative rights without user interaction. Once elevated, the malware contacts a remote server to retrieve a second‑stage installer that adapts its behavior based on the presence of Avast antivirus. By simulating mouse movements to add its own files to Avast’s exclusion list, the payload silently neutralizes a key defensive layer. The final payload combines a Blackmoon trojan variant—known for targeting financial institutions—with the commercial SyncFuture TSM remote‑management suite, effectively turning a legitimate RMM tool into an espionage framework.

For enterprises and public sector entities, the campaign underscores the urgency of validating the provenance of software updates and scrutinizing unsolicited tax‑related communications. Deploying application whitelisting, enforcing least‑privilege policies, and monitoring for anomalous DLL loading patterns can mitigate similar threats. Moreover, the misuse of a Chinese‑origin RMM product highlights the need for rigorous third‑party risk assessments, especially when tools possess remote control capabilities that could be hijacked for data exfiltration or persistent surveillance.