Operation DragonReturn drops DcRAT on Indian taxpayers, Silver Fox overlaps
Seqrite Labs attributes an ongoing spear-phishing campaign against Indian tax filers to a suspected China-nexus actor with infrastructure and tactical overlap to Silver Fox. First observed May 18.
Suspected China-nexus, active. Seqrite Labs on July 6 attributed a spear-phishing campaign against Indian taxpayers — dubbed Operation DragonReturn — to a Chinese-speaking operator with infrastructure and tactical overlap to the Silver Fox cluster. Researchers Dixit Panchal and Soumen Burma date first observation to May 18, 2026. The payload is DcRAT, sideloaded through a legitimate-appearing offline tax filing utility.
What was reported
- Lure: spear-phishing emails impersonating India’s Income Tax Department, timed to the annual filing window. PDF attachments link to
govtop[.]one/incometax— a stand-in for the realincometax.gov.inoffline utility. Confidence: high as reported. - Targets: Indian taxpayers, tax professionals, and corporate finance teams. Confidence: high as reported.
- Delivery: ZIP containing a legitimate host binary plus a malicious
nvdaHelperRemote.dll. DLL sideloading chain fetches a JPG image from the C2, extracts a second-stage DLL, and drops the payload into the Windows Media Player directory asMixed Reality.exewith aMixedSvcservice for persistence. Confidence: high as reported — Seqrite lists file paths and IOCs. - Final payload: DcRAT plus a screenshot module and a data-exfil component. Confidence: high as reported.
- Attribution: suspected China-nexus. Basis is ChinaNet IP space and a Chinese-language web panel at
223.26.63[.]40, with infrastructure and TTP overlap to Silver Fox (previously linked to ValleyRAT). Confidence: medium — Seqrite is explicit that the overlap is suggestive, not definitive. Do not upgrade this to a hard Silver Fox call in your reporting.
What is not in the reporting
Victim count. Sector-level compromise numbers. Whether any of the observed tax-professional targets sit inside government finance functions. Whether the same operator is running parallel campaigns outside India. Anyone claiming those specifics right now is guessing.
IOCs Seqrite published
- Delivery domain:
govtop[.]one/incometax - Loader DLL:
nvdaHelperRemote.dll - Dropped binary:
Mixed Reality.exeinC:\Program Files\Windows Media Player\ - Persistence: Windows service
MixedSvc - Staging file:
C:\Windows\background.jpg - Payload host:
204.194.48[.]250 - Exfil C2:
kkxqbh[.]top - Chinese-language management panel:
223.26.63[.]40
Block, hunt, and treat any hit as an active-operator incident, not commodity. The panel URL alone tells you a human is driving.
Why this one matters
The pattern — Chinese-speaking operator, real-world lure keyed to a national deadline, DLL sideloading through a signed-looking utility, DcRAT with a management panel — is the same shape as ToddyCat’s Umbrij OAuth hijack and the Armored Likho power-sector operation: patient, resourced, targeted. Different clusters, same operating model. Anyone treating suspected-China intrusion sets as opportunistic in July 2026 is behind.
Second point: the lure is seasonal. Indian income tax filing season is a fixed calendar event. Operators who pick their window to match a national deadline get better click-through than any generic phish will, and defenders have a fixed calendar of high-risk quarters they can pre-brief users against. Treat it as intelligence, not a curiosity.
What to actually do
- Hunt the file paths and service name.
Mixed Reality.exeunder Windows Media Player is not a legitimate Microsoft path;MixedSvcis not a stock service. Either indicator is enough to open an incident. - Block the published domains and IPs at the egress.
govtop[.]one,kkxqbh[.]top,204.194.48[.]250,223.26.63[.]40. - Brief tax and finance teams before the next filing cycle. The lure works because the deadline is real. A ten-minute warning about spoofed Income Tax Department mail — especially PDFs with download links — costs nothing.
- If you run detections for DLL sideloading: now is when you tune them. The chain here is the standard signed-host-plus-malicious-DLL pattern.
Seqrite’s writeup is the primary source for full IOCs and hashes. Pull it directly rather than trusting downstream summaries.
Found this useful? Share it.