Shreshta has been tracking an active phishing and malware operation that impersonates the Government of India's Income Tax Department and Ministry of Finance. The operation is timed to the AY2026-27 income tax filing season and targets Indian taxpayers and businesses. The lures address recipients generically and reference the recipient's company tax records.
Victims receive a bilingual Hindi and English notice alleging a tax irregularity and are directed to download a document archive. The archive delivers its payload through DLL sideloading. The delivery and credential pages are produced by a Chinese language phishing kit that retains an OFD document option, a document format specific to the People's Republic of China.
Pivoting 18 IP addresses with Shreshta Passive DNS telemetry, Shreshta attributes the campaign to 17 of those addresses across 11 autonomous systems, concentrated on Alibaba Cloud and a cluster of Hong Kong providers. The campaign's identifiable footprint is 379 domains in six naming families. The eighteenth address, a Yisu Cloud node, carries a separate co-located cluster of algorithmically generated domains that does not share the campaign's naming. The kit artifacts, the OFD document format and the hosting concentration attribute the operation to a China-nexus threat actor with high confidence.
This report focuses on infrastructure. A public analysis of a malware chain from the same family has been published by Seqrite as Operation DragonReturn, to which the reader is referred for the payload reverse engineering.
01Targeting
The lures address recipients generically as taxpayers and reference the recipient's company tax records, indicating that both individual and corporate taxpayers are in scope. The tax compliance theme and AY2026-27 timing align the operation with the income tax filing season.
02Initial access: the phishing email
The initial lure impersonates the Government of India, Ministry of Finance, Income Tax Department, Enforcement Division. It is formatted as an official office memorandum in Hindi and English and uses urgency and legal threat to drive action. Observed characteristics:
- Sender:
providemuch1948@outlook.com, a free webmail account rather than a government domain. - Reference number:
No. TAX/PEN/2026-14246. - Pretext: an alleged irregularity under Section 271(1)(c) of the Income Tax Act 1961, demanding document submission within 72 hours.
- Threat: legal action under Section 276C for non compliance.
- Impersonated signatory: an Assistant Commissioner of Income Tax.
Multiple waves of the lure were observed, each using a disposable Outlook sender and a different delivery domain. The delivery domains resolve within the mapped infrastructure (Section 05), which corroborates the passive DNS estate.
| Sender | Recipient mailbox | Delivery URL |
|---|---|---|
providemuch1948@outlook.com | info | document archive download |
BedsonHase6217@outlook.com | careers | https://adreses.vip/ |
| Outlook webmail (bilingual variant) | n/a | https://coinok.vip/ |
The page titles served by the campaign infrastructure corroborate the theme. Observed HTTP titles
include कर दंड सूचना - भारत सरकार (Tax Penalty Notice, Government of India),
Ministry of Finance, Government of India and Income Tax Department.
03Delivery: malicious archive and DLL sideloading
The download resolves to an archive containing three files:
| File | Approx. size | Function |
|---|---|---|
Document07.09.exe | 2 MB | Legitimate signed executable used as the sideloading host |
vulkan-1.dll | 4.4 MB | Malicious loader named after the Vulkan graphics runtime |
vulkan-1.bin | 299 KB | Encrypted payload and configuration read by the loader |
The three file layout is characteristic of DLL search order sideloading (MITRE ATT&CK T1574.002): a
legitimate signed executable, a malicious DLL named after a common system library, and an accompanying
data file. On execution, the host binary loads the attacker supplied vulkan-1.dll from its
own directory rather than the genuine system library. The name is chosen to blend in, as the Vulkan
runtime is present on any system with graphics drivers.
Shreshta has not reverse engineered the loader or its payload. The behaviour of the loader and the
handling of the encrypted vulkan-1.bin blob are documented in Seqrite's analysis of the same
malware family, referenced above.
04The phishing kit
The credential and delivery pages are generated by a reusable phishing kit. Two artifacts identify its origin.
Chinese language build annotations
The page source contains template instructions in Chinese, including 位置1:图片 src
(Position 1: image src) and 请将下方 src 替换为您的图片链接或 base64 代码 (Replace the src
below with your image link or base64 code). These are operator facing placeholders left in the deployed
pages.
An OFD document option
The rendered pages present a reused Indian tax invoice overlaid with three actions: Layout File Preview, OFD Layout File Download and PDF Preview Version Download. OFD (Open Fixed layout Document, standard GB/T 33190-2016) is the national electronic document format of the People's Republic of China. It has no legitimate role in Indian tax or corporate document workflows, where PDF is standard. Its presence as a default option indicates a kit authored for a Chinese language operator base. The kit supports multiple lure documents; invoice and payment themed pages were also observed from the same infrastructure. The invoice used as a lure background is a genuine third party document reused by the operator and is withheld here to protect the affected company.
05Infrastructure analysis
Scale and structure
Pivoting the 18 IP addresses with Shreshta Passive DNS telemetry surfaced 10,579 hostnames, but these are not one operation. Seventeen of the addresses host the campaign, whose identifiable footprint is 379 domains in six recognizable naming families, described below. The eighteenth, a Yisu Cloud node, resolves a large co-located cluster of algorithmically generated domains that does not share the campaign's naming and is treated separately (Figure 8). The campaign families are actively rotated, consistent with an operation that cycles landing domains to evade blocklisting and takedown.
Domain naming conventions
Income Tax and Government of India impersonation. Direct brand impersonation using
incometax and government keywords (incometax.click, incometaxi.click,
incometaxindiaefiling.help, indiaenforcementdivision.icu), the last of which
mirrors the Enforcement Division letterhead in the lure. The govinada and related
.us.cc set are Government of India lookalikes.
India branded typosquats. A bulk registered family of India lookalikes across low
cost TLDs, including the indiaxyz* series.
The laiuatexqw family. A single base label registered across a dozen TLDs, including
laiuatexqwgov.cc and httpslaiuatexqwgu.cc, in which the string https is embedded
in the label so a truncated URL appears legitimate.
Algorithmically generated control and staging. Over a hundred short, pronounceable but
meaningless labels on .eu.cc and .gu.cc, typical of scripted registration for
command, control and redirection.
Content delivery and redirection. Registered roots on .love and
.life, each fronted with a consistent subdomain scheme (cdn., static.,
assets., img., serve., api.) serving images, kit assets
and next stage content.
A co-located DGA cluster (not counted as campaign). One seed address,
154.221.26.227 (Yisu Cloud), resolves 8,583 domains that are overwhelmingly algorithmically
generated: random and hex labelled .com and .net names that resolve only to that
node. This cluster does not share the tax campaign's naming and is characteristic of malware command and
control or a botnet. It may be the operation's C2 tier or an unrelated cluster on the same bulletproof
host; passive DNS cannot distinguish the two. It is excluded from the campaign's 379 branded domains.
The campaign's identifiable footprint is 379 domains in six naming families across the seventeen confirmed IPs. This excludes the co-located DGA cluster on 154.221.26.227 (Figure 8).
Hosting and network analysis
Resolution of the 18 seed IP addresses to their announcing networks collapses them into 11 autonomous
systems. Hosting is concentrated on a single Alibaba Cloud autonomous system and a cluster of Hong Kong
providers, with a small number of Western cloud nodes used as disposable edge and redirection points,
including one Amazon node in the Mumbai region reached through nip.io and sslip.io
wildcard DNS.
| IP address | Announcing network | ASN | Region |
|---|---|---|---|
| 47.242.39.192 | Alibaba | AS45102 | CN / HK |
| 47.83.166.230 | Alibaba | AS45102 | CN / HK |
| 8.217.152.225 | Alibaba | AS45102 | CN / HK |
| 8.218.207.230 | Alibaba | AS45102 | CN / SG |
| 8.222.142.243 | Alibaba | AS45102 | CN / SG |
| 154.221.22.65 | Yisu Cloud | AS142403 | HK |
| 154.221.26.227 | Yisu Cloud (DGA cluster, likely C2) | AS142403 | HK |
| 103.97.128.107 | Cloudie Limited | AS55933 | HK |
| 156.251.16.107 | Tcloudnet | AS399077 | HK / US |
| 192.238.128.250 | Antbox Networks | AS138995 | HK |
| 103.23.172.117 | Beyotta Services LLP | AS997 | SG |
| 103.93.252.212 | Beyotta Services LLP | AS997 | SG |
| 154.36.165.51 | NetLab Global | AS979 | US |
| 64.90.12.51 | NetLab Global | AS979 | US |
| 45.150.226.85 | Spartan Host | AS201106 | GB / NL |
| 143.14.122.112 | Yadda OU | AS214647 | EE / NL |
| 3.110.184.116 | Amazon AWS | AS16509 | Mumbai, IN |
| 108.181.161.156 | Psychz Networks | AS40676 | US |
Blue bars are China or Hong Kong networks. Five of eighteen addresses fall within Alibaba's AS45102.
Infrastructure graph
Two views make the structure concrete. Figure 8 shows where the full estate resolves: it is dominated
by one Yisu Cloud shared hosting node. Figure 9 isolates the branded campaign families and groups them by
the IP that serves them. The separation is clean: income tax lures on 108.181.161.156, India
and laiuatexqw typosquats on 64.90.12.51, and the algorithmic control and content delivery
domains on the two Beyotta addresses. This separation of lure surface from control and delivery
infrastructure is characteristic of a structured operation.
One seed node, 154.221.26.227 (grey, Yisu Cloud), resolves 8,583 domains that are 81 percent algorithmically generated and resolve only to that node: a dedicated DGA cluster, distinct in naming from the tax campaign and characteristic of malware C2. The campaign's branded domains sit on the other seventeen addresses (Figure 9).
Figure 9 covers the 379 domains in the enumerated families (A to F), each shown under the IP that serves it. Per IP attribution is from a fresh, IP labelled re-pull of the passive DNS on 10 July 2026.
06Attribution
The available evidence attributes the operation to a China-nexus threat actor with high confidence:
- Chinese language build annotations embedded in the deployed phishing kit.
- The OFD document format, a Chinese national standard, offered to Indian victims.
- Hosting concentrated on Alibaba Cloud and Hong Kong providers.
- Lookalike domains for tax authorities in other jurisdictions hosted on the same infrastructure, indicating a multi region operator.
These findings are independent of, and consistent with, publicly reported activity from the same malware family.
07Detection and mitigation
For organizations
- Block the domain names in the appendix at DNS, proxy and firewall layers.
- Alert on execution of
vulkan-1.dlloutside legitimate graphics driver paths, and on any executable that sideloads a DLL from a user Downloads or temporary directory (T1574.002). - Monitor for outbound connections to the hosting ranges listed above.
For end users
- Access the income tax portal directly rather than through links in unsolicited email.
08Conclusion
The operation is a well resourced, China-nexus phishing and malware campaign that exploits the Indian tax filing season through government impersonation and a DLL sideloading delivery chain. It is delivered from a bulletproof hosting cluster of 18 addresses across 11 autonomous systems, of which 17 carry its 379 branded domains and one hosts a co-located DGA cluster. It is supported by a reusable Chinese language phishing kit. The scale and structure indicate a sustained operation rather than a short lived campaign, and defenders should expect continued domain rotation.
09Indicators of compromise
Domain to IP mappings for all 10,579 hostnames surfaced from the 18 seed IPs are provided in the accompanying file china-nexus-campaign.csv. The branded campaign families are enumerated below, one entry per line. IP addresses and file indicators follow.
103.23.172.117 47.242.39.192 103.97.128.107 8.217.152.225 156.251.16.107 143.14.122.112 154.221.22.65 192.238.128.250 8.222.142.243 47.83.166.230 154.36.165.51 45.150.226.85 3.110.184.116 154.221.26.227 8.218.207.230 103.93.252.212 64.90.12.51 108.181.161.156
providemuch1948@outlook.com BedsonHase6217@outlook.com No. TAX/PEN/2026-14246 adreses.vip coinok.vip Document07.09.exe vulkan-1.dll vulkan-1.bin
595688.taxeiit8.cn 82e7d502-98e7-40ef-9061-c9e478bbebb1.taxeiit8.cn admin.incometaxi.click covliinada.us.cc dashboard.incometaxi.click dqkgicrbvr73.taxeiit8.cn exncncrbvr73.taxeiit8.cn go.incometax.click go.incometax.gu.cc go.incometaxi.click gov.incometax.click gov.incometaxi.click goviinada.us.cc govinada.us.cc govliinada.us.cc in.incometax.click in.incometax.gu.cc incometax.click incometax.gu.cc incometaxi.click incometaxindiaefiling.help ind.incometax.click india.incometax.gu.cc indiaenforcementdivision.icu ingov.incometaxi.click mail.incometax.click mbzhb582q74uhmtj.taxeiit8.cn pay.incometax.click sitemap.incometax.click taxeiit8.cn www.go.incometax.click www.go.incometaxi.click www.gov.incometaxi.click www.in.incometax.click www.incometax.click www.incometaxi.click www.ind.incometax.click www.ingov.incometaxi.click www.sitemap.incometax.click www.taxeiit8.cn x7svby2tmu2gsrv4.taxeiit8.cn
india152366.cc indiacy.xyz indiaxyne.us.cc indiaxyqe.us.cc indiaxyre.us.cc indiaxyte.us.cc indiaxyz.top indiaxyz.xyz indiaxyzac.us.cc indiaxyzbc.us.cc indiaxyze.us.cc indiaxyzq.bond indiaxyzq.sbs indiaxyzq.us.cc indiaxyzq.xyz indiaxyzqa.us.cc indiaxyzqaq.us.cc indiaxyzqc.us.cc indiaxyzqd.us.cc indiaxyzqx.us.cc yindianshang.com
httpslaiuatexqwgu.cc httpslaiuatexqwgu.top laiuatexqw.gu.cc laiuatexqwgc.cc laiuatexqwgg.bond laiuatexqwgg.sbs laiuatexqwgg.top laiuatexqwgg.xyz laiuatexqwgov.cc laiutexqwag.xyz laiutexqwgu.cc laiutexqwgua.cc laiutexqwgub.cc laiutexqwguc.cc laiutexqwgun.cc
qisytesdra.love lsdifuuwea.love paeiyuytwe.love liciuseret.love psaofwiqw.love kasiyrytrea.love icsyrtarw.life hsurtytctrse.life