Illustration of a red Chinese dragon coiled around Income Tax documents, a phishing email on a hook and a malware kill chain, over server racks
Threat Intelligence Report · China Nexus

Mapping the Infrastructure Behind a China-Nexus Income Tax Phishing Campaign in India

Lure, delivery and infrastructure analysis of a China-nexus phishing campaign impersonating India's Income Tax Department.

Executive summary

Shreshta has been tracking an active phishing and malware operation that impersonates the Government of India's Income Tax Department and Ministry of Finance. The operation is timed to the AY2026-27 income tax filing season and targets Indian taxpayers and businesses. The lures address recipients generically and reference the recipient's company tax records.

Victims receive a bilingual Hindi and English notice alleging a tax irregularity and are directed to download a document archive. The archive delivers its payload through DLL sideloading. The delivery and credential pages are produced by a Chinese language phishing kit that retains an OFD document option, a document format specific to the People's Republic of China.

Pivoting 18 IP addresses with Shreshta Passive DNS telemetry, Shreshta attributes the campaign to 17 of those addresses across 11 autonomous systems, concentrated on Alibaba Cloud and a cluster of Hong Kong providers. The campaign's identifiable footprint is 379 domains in six naming families. The eighteenth address, a Yisu Cloud node, carries a separate co-located cluster of algorithmically generated domains that does not share the campaign's naming. The kit artifacts, the OFD document format and the hosting concentration attribute the operation to a China-nexus threat actor with high confidence.

18
seed IP addresses
379
campaign domains
11
autonomous systems

This report focuses on infrastructure. A public analysis of a malware chain from the same family has been published by Seqrite as Operation DragonReturn, to which the reader is referred for the payload reverse engineering.

01Targeting

The lures address recipients generically as taxpayers and reference the recipient's company tax records, indicating that both individual and corporate taxpayers are in scope. The tax compliance theme and AY2026-27 timing align the operation with the income tax filing season.

02Initial access: the phishing email

The initial lure impersonates the Government of India, Ministry of Finance, Income Tax Department, Enforcement Division. It is formatted as an official office memorandum in Hindi and English and uses urgency and legal threat to drive action. Observed characteristics:

  • Sender: providemuch1948@outlook.com, a free webmail account rather than a government domain.
  • Reference number: No. TAX/PEN/2026-14246.
  • Pretext: an alleged irregularity under Section 271(1)(c) of the Income Tax Act 1961, demanding document submission within 72 hours.
  • Threat: legal action under Section 276C for non compliance.
  • Impersonated signatory: an Assistant Commissioner of Income Tax.
Phishing email impersonating the Income Tax Department
Figure 1. Phishing email impersonating the Income Tax Department, Enforcement Division. Sender: providemuch1948@outlook.com.
Second phishing email variant from a different Outlook sender
Figure 2. A second lure variant from a different Outlook sender (BedsonHase6217@outlook.com), addressed to a careers mailbox, using the delivery domain adreses.vip. Gmail misdetects the message language as Arabic.

Multiple waves of the lure were observed, each using a disposable Outlook sender and a different delivery domain. The delivery domains resolve within the mapped infrastructure (Section 05), which corroborates the passive DNS estate.

SenderRecipient mailboxDelivery URL
providemuch1948@outlook.cominfodocument archive download
BedsonHase6217@outlook.comcareershttps://adreses.vip/
Outlook webmail (bilingual variant)n/ahttps://coinok.vip/

The page titles served by the campaign infrastructure corroborate the theme. Observed HTTP titles include कर दंड सूचना - भारत सरकार (Tax Penalty Notice, Government of India), Ministry of Finance, Government of India and Income Tax Department.

03Delivery: malicious archive and DLL sideloading

The download resolves to an archive containing three files:

FileApprox. sizeFunction
Document07.09.exe2 MBLegitimate signed executable used as the sideloading host
vulkan-1.dll4.4 MBMalicious loader named after the Vulkan graphics runtime
vulkan-1.bin299 KBEncrypted payload and configuration read by the loader
Contents of the malicious archive
Figure 3. The delivered archive. A signed host executable sideloads the malicious vulkan-1.dll, which reads the encrypted vulkan-1.bin payload.

The three file layout is characteristic of DLL search order sideloading (MITRE ATT&CK T1574.002): a legitimate signed executable, a malicious DLL named after a common system library, and an accompanying data file. On execution, the host binary loads the attacker supplied vulkan-1.dll from its own directory rather than the genuine system library. The name is chosen to blend in, as the Vulkan runtime is present on any system with graphics drivers.

Shreshta has not reverse engineered the loader or its payload. The behaviour of the loader and the handling of the encrypted vulkan-1.bin blob are documented in Seqrite's analysis of the same malware family, referenced above.

04The phishing kit

The credential and delivery pages are generated by a reusable phishing kit. Two artifacts identify its origin.

Chinese language build annotations

The page source contains template instructions in Chinese, including 位置1:图片 src (Position 1: image src) and 请将下方 src 替换为您的图片链接或 base64 代码 (Replace the src below with your image link or base64 code). These are operator facing placeholders left in the deployed pages.

Phishing kit source code showing Chinese annotations
Figure 4. Phishing kit source. Chinese language build annotations (right) and an OFD document download option are present in the deployed page.

An OFD document option

The rendered pages present a reused Indian tax invoice overlaid with three actions: Layout File Preview, OFD Layout File Download and PDF Preview Version Download. OFD (Open Fixed layout Document, standard GB/T 33190-2016) is the national electronic document format of the People's Republic of China. It has no legitimate role in Indian tax or corporate document workflows, where PDF is standard. Its presence as a default option indicates a kit authored for a Chinese language operator base. The kit supports multiple lure documents; invoice and payment themed pages were also observed from the same infrastructure. The invoice used as a lure background is a genuine third party document reused by the operator and is withheld here to protect the affected company.

Redacted lure landing page with campaign download buttons over a blurred invoice
Figure 5. The lure landing page. A genuine third party tax invoice reused as the background, overlaid with the campaign download buttons including the OFD option. The underlying invoice is blurred to protect the affected company.

05Infrastructure analysis

Scale and structure

Pivoting the 18 IP addresses with Shreshta Passive DNS telemetry surfaced 10,579 hostnames, but these are not one operation. Seventeen of the addresses host the campaign, whose identifiable footprint is 379 domains in six recognizable naming families, described below. The eighteenth, a Yisu Cloud node, resolves a large co-located cluster of algorithmically generated domains that does not share the campaign's naming and is treated separately (Figure 8). The campaign families are actively rotated, consistent with an operation that cycles landing domains to evade blocklisting and takedown.

Domain naming conventions

Income Tax and Government of India impersonation. Direct brand impersonation using incometax and government keywords (incometax.click, incometaxi.click, incometaxindiaefiling.help, indiaenforcementdivision.icu), the last of which mirrors the Enforcement Division letterhead in the lure. The govinada and related .us.cc set are Government of India lookalikes.

India branded typosquats. A bulk registered family of India lookalikes across low cost TLDs, including the indiaxyz* series.

The laiuatexqw family. A single base label registered across a dozen TLDs, including laiuatexqwgov.cc and httpslaiuatexqwgu.cc, in which the string https is embedded in the label so a truncated URL appears legitimate.

Algorithmically generated control and staging. Over a hundred short, pronounceable but meaningless labels on .eu.cc and .gu.cc, typical of scripted registration for command, control and redirection.

Content delivery and redirection. Registered roots on .love and .life, each fronted with a consistent subdomain scheme (cdn., static., assets., img., serve., api.) serving images, kit assets and next stage content.

A co-located DGA cluster (not counted as campaign). One seed address, 154.221.26.227 (Yisu Cloud), resolves 8,583 domains that are overwhelmingly algorithmically generated: random and hex labelled .com and .net names that resolve only to that node. This cluster does not share the tax campaign's naming and is characteristic of malware command and control or a botnet. It may be the operation's C2 tier or an unrelated cluster on the same bulletproof host; passive DNS cannot distinguish the two. It is excluded from the campaign's 379 branded domains.

Figure 6 · Campaign domains by naming family379 domains
CDN / redirection164 Algorithmic control110 Income Tax / Gov42 Parallel campaigns27 india* typosquats21 laiuatexqw family15

The campaign's identifiable footprint is 379 domains in six naming families across the seventeen confirmed IPs. This excludes the co-located DGA cluster on 154.221.26.227 (Figure 8).

Hosting and network analysis

Resolution of the 18 seed IP addresses to their announcing networks collapses them into 11 autonomous systems. Hosting is concentrated on a single Alibaba Cloud autonomous system and a cluster of Hong Kong providers, with a small number of Western cloud nodes used as disposable edge and redirection points, including one Amazon node in the Mumbai region reached through nip.io and sslip.io wildcard DNS.

IP addressAnnouncing networkASNRegion
47.242.39.192AlibabaAS45102CN / HK
47.83.166.230AlibabaAS45102CN / HK
8.217.152.225AlibabaAS45102CN / HK
8.218.207.230AlibabaAS45102CN / SG
8.222.142.243AlibabaAS45102CN / SG
154.221.22.65Yisu CloudAS142403HK
154.221.26.227Yisu Cloud (DGA cluster, likely C2)AS142403HK
103.97.128.107Cloudie LimitedAS55933HK
156.251.16.107TcloudnetAS399077HK / US
192.238.128.250Antbox NetworksAS138995HK
103.23.172.117Beyotta Services LLPAS997SG
103.93.252.212Beyotta Services LLPAS997SG
154.36.165.51NetLab GlobalAS979US
64.90.12.51NetLab GlobalAS979US
45.150.226.85Spartan HostAS201106GB / NL
143.14.122.112Yadda OUAS214647EE / NL
3.110.184.116Amazon AWSAS16509Mumbai, IN
108.181.161.156Psychz NetworksAS40676US
Figure 7 · Seed IP addresses per announcing network18 IPs · 11 ASNs
AS45102 · Alibaba5 AS997 · Beyotta2 AS142403 · Yisu2 AS979 · NetLab2 AS55933 · Cloudie1 AS399077 · Tcloudnet1 AS138995 · Antbox1 AS16509 · Amazon1 AS40676 · Psychz1 AS201106 · Spartan1 AS214647 · Yadda1

Blue bars are China or Hong Kong networks. Five of eighteen addresses fall within Alibaba's AS45102.

Infrastructure graph

Two views make the structure concrete. Figure 8 shows where the full estate resolves: it is dominated by one Yisu Cloud shared hosting node. Figure 9 isolates the branded campaign families and groups them by the IP that serves them. The separation is clean: income tax lures on 108.181.161.156, India and laiuatexqw typosquats on 64.90.12.51, and the algorithmic control and content delivery domains on the two Beyotta addresses. This separation of lure surface from control and delivery infrastructure is characteristic of a structured operation.

Figure 8 · Domains per resolving IP (full estate)10,579 hostnames · 18 IPs
154.221.26.2278,583 154.221.22.65507 47.83.166.230275 103.93.252.212182 103.23.172.117175 45.150.226.85153 154.36.165.51137 156.251.16.10794 8.218.207.23087 47.242.39.19276 103.97.128.10765 192.238.128.25063 8.222.142.24362 143.14.122.11246 64.90.12.5140 8.217.152.22532 108.181.161.15629 3.110.184.11621

One seed node, 154.221.26.227 (grey, Yisu Cloud), resolves 8,583 domains that are 81 percent algorithmically generated and resolve only to that node: a dedicated DGA cluster, distinct in naming from the tax campaign and characteristic of malware C2. The campaign's branded domains sit on the other seventeen addresses (Figure 9).

Figure 9 · The 379 enumerated campaign domains, grouped by resolving IPcoloured by family
Campaign domains grouped by the IP that resolves them, coloured by family

Figure 9 covers the 379 domains in the enumerated families (A to F), each shown under the IP that serves it. Per IP attribution is from a fresh, IP labelled re-pull of the passive DNS on 10 July 2026.

06Attribution

The available evidence attributes the operation to a China-nexus threat actor with high confidence:

  • Chinese language build annotations embedded in the deployed phishing kit.
  • The OFD document format, a Chinese national standard, offered to Indian victims.
  • Hosting concentrated on Alibaba Cloud and Hong Kong providers.
  • Lookalike domains for tax authorities in other jurisdictions hosted on the same infrastructure, indicating a multi region operator.

These findings are independent of, and consistent with, publicly reported activity from the same malware family.

07Detection and mitigation

For organizations

  • Block the domain names in the appendix at DNS, proxy and firewall layers.
  • Alert on execution of vulkan-1.dll outside legitimate graphics driver paths, and on any executable that sideloads a DLL from a user Downloads or temporary directory (T1574.002).
  • Monitor for outbound connections to the hosting ranges listed above.

For end users

  • Access the income tax portal directly rather than through links in unsolicited email.

08Conclusion

The operation is a well resourced, China-nexus phishing and malware campaign that exploits the Indian tax filing season through government impersonation and a DLL sideloading delivery chain. It is delivered from a bulletproof hosting cluster of 18 addresses across 11 autonomous systems, of which 17 carry its 379 branded domains and one hosts a co-located DGA cluster. It is supported by a reusable Chinese language phishing kit. The scale and structure indicate a sustained operation rather than a short lived campaign, and defenders should expect continued domain rotation.


09Indicators of compromise

Domain to IP mappings for all 10,579 hostnames surfaced from the 18 seed IPs are provided in the accompanying file china-nexus-campaign.csv. The branded campaign families are enumerated below, one entry per line. IP addresses and file indicators follow.

IP addresses (18)
103.23.172.117
47.242.39.192
103.97.128.107
8.217.152.225
156.251.16.107
143.14.122.112
154.221.22.65
192.238.128.250
8.222.142.243
47.83.166.230
154.36.165.51
45.150.226.85
3.110.184.116
154.221.26.227
8.218.207.230
103.93.252.212
64.90.12.51
108.181.161.156
Email and file indicators
providemuch1948@outlook.com
BedsonHase6217@outlook.com
No. TAX/PEN/2026-14246
adreses.vip
coinok.vip
Document07.09.exe
vulkan-1.dll
vulkan-1.bin
Income Tax and Gov India impersonation
595688.taxeiit8.cn
82e7d502-98e7-40ef-9061-c9e478bbebb1.taxeiit8.cn
admin.incometaxi.click
covliinada.us.cc
dashboard.incometaxi.click
dqkgicrbvr73.taxeiit8.cn
exncncrbvr73.taxeiit8.cn
go.incometax.click
go.incometax.gu.cc
go.incometaxi.click
gov.incometax.click
gov.incometaxi.click
goviinada.us.cc
govinada.us.cc
govliinada.us.cc
in.incometax.click
in.incometax.gu.cc
incometax.click
incometax.gu.cc
incometaxi.click
incometaxindiaefiling.help
ind.incometax.click
india.incometax.gu.cc
indiaenforcementdivision.icu
ingov.incometaxi.click
mail.incometax.click
mbzhb582q74uhmtj.taxeiit8.cn
pay.incometax.click
sitemap.incometax.click
taxeiit8.cn
www.go.incometax.click
www.go.incometaxi.click
www.gov.incometaxi.click
www.in.incometax.click
www.incometax.click
www.incometaxi.click
www.ind.incometax.click
www.ingov.incometaxi.click
www.sitemap.incometax.click
www.taxeiit8.cn
x7svby2tmu2gsrv4.taxeiit8.cn
india* typosquats
india152366.cc
indiacy.xyz
indiaxyne.us.cc
indiaxyqe.us.cc
indiaxyre.us.cc
indiaxyte.us.cc
indiaxyz.top
indiaxyz.xyz
indiaxyzac.us.cc
indiaxyzbc.us.cc
indiaxyze.us.cc
indiaxyzq.bond
indiaxyzq.sbs
indiaxyzq.us.cc
indiaxyzq.xyz
indiaxyzqa.us.cc
indiaxyzqaq.us.cc
indiaxyzqc.us.cc
indiaxyzqd.us.cc
indiaxyzqx.us.cc
yindianshang.com
laiuatexqw family
httpslaiuatexqwgu.cc
httpslaiuatexqwgu.top
laiuatexqw.gu.cc
laiuatexqwgc.cc
laiuatexqwgg.bond
laiuatexqwgg.sbs
laiuatexqwgg.top
laiuatexqwgg.xyz
laiuatexqwgov.cc
laiutexqwag.xyz
laiutexqwgu.cc
laiutexqwgua.cc
laiutexqwgub.cc
laiutexqwguc.cc
laiutexqwgun.cc
Content delivery and redirection roots
qisytesdra.love
lsdifuuwea.love
paeiyuytwe.love
liciuseret.love
psaofwiqw.love
kasiyrytrea.love
icsyrtarw.life
hsurtytctrse.life