Key Findings:

• Ongoing campaign targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage operation

• Phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive

• Malware known as Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM used as the final payload

• Sophisticated attack involving anti-analysis, privilege escalation, DLL sideloading, commercial-tool repurposing, and security-software evasion

Background

The cybersecurity researchers at eSentire's Threat Response Unit (TRU) have uncovered an ongoing campaign targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage operation. The activity involves using phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive, ultimately granting the threat actors persistent access to their machines for continuous monitoring and data exfiltration.

Infection Chain

1. The ZIP file distributed through the fake tax penalty notices contains five different files, with an executable ("Inspection Document Review.exe") used to sideload a malicious DLL.

2. The downloaded shellcode then uses a COM-based technique to bypass the User Account Control (UAC) prompt and gains administrative privileges, masquerading as the legitimate Windows "explorer.exe" process.

3. The next stage "180.exe" is retrieved from the "eaxwwyr[.]cn" domain, a 32-bit Inno Setup installer that adjusts its behavior based on the presence of the Avast Free Antivirus process.

4. If Avast is detected, the malware uses automated mouse simulation to navigate Avast's interface and add malicious files to its exclusion list without disabling the antivirus engine.

5. The final payload is a variant of the Blackmoon malware family, which is known for targeting businesses, and a legitimate enterprise tool called SyncFuture TSM with remote monitoring and management (RMM) capabilities.

Malware Capabilities

• The threat actors gain the ability to remotely control infected endpoints, record user activities, and exfiltrate data of interest.

• Batch scripts are deployed to create custom directories, modify Access Control Lists (ACLs), and perform cleanup and restoration operations.

• An executable called "MANC.exe" orchestrates different services and enables extensive logging.

• The campaign demonstrates both capability and intent, blending anti-analysis, privilege escalation, DLL sideloading, commercial-tool repurposing, and security-software evasion.

Conclusion

The ongoing campaign targeting Indian users with a multi-stage backdoor is a sophisticated attack that showcases the threat actors' ability to leverage phishing, malware, and legitimate tools to establish persistent access and conduct espionage activities. The researchers at eSentire TRU are actively monitoring the situation and providing recommendations to organizations to mitigate the risks associated with this threat.

Sources

• https://thehackernews.com/2026/01/indian-users-targeted-in-tax-phishing.html

• https://securityaffairs.com/187332/cyber-crime/energy-sector-targeted-in-multi-stage-phishing-and-bec-campaign-using-sharepoint.html