Operation DragonReturn: China-Nexus Espionage Targeting India’s Tax Infrastructure
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A sophisticated China-aligned cyber espionage campaign is targeting India’s tax ecosystem by impersonating the Ministry of Finance. The operation uses spearphishing emails with malicious attachments to deliver a multi-stage DcRAT infection chain. The malware relies on steganography, AMSI bypass, and fileless .NET execution to persist on compromised systems and exfiltrate sensitive information.
Investigation
Seqrite Lab uncovered the campaign through analysis of a multi-stage infection chain built around a fake government utility. The investigation showed use of a lightweight launcher that calls a DLL, which then injects code into svchost.exe. Analysts also identified steganographic payload hiding inside a JPG image and observed encrypted command-and-control traffic over TLS.
Mitigation
Organizations should deploy strong email filtering to block suspicious attachments and links sent from impersonated government domains. Security teams should monitor for unauthorized Windows service creation, especially services disguised as legitimate components such as Windows Mixed Reality. Enforcing strict UAC policies and watching for suspicious in-memory .NET execution can also help reduce the impact of compromise.
Response
If this activity is detected, affected endpoints should be isolated immediately to prevent additional command-and-control communication and data theft. Investigators should perform memory forensics to identify injected code inside svchost.exe and check for unauthorized services such as MixedSvc. Network logs should also be reviewed for connections to the identified domains and IP addresses, while incident response should focus on credential rotation and verification of system integrity.
"flowchart TD step_initial_access["T1566.001 u2013 Phishing: Spearphishing Attachment: Emails impersonating Indian Income Tax Dept directing to fraudulent website"] step_user_execution["T1204.002 u2013 User Execution: Malicious File: Victim downloads and executes 'Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip'"] step_masquerading["T1036.008 u2013 Masquerading: Masquerade File Type: ZIP file disguised as a legitimate government utility"] step_persistence["T1543.003 u2013 Create or Modify System Process: Windows Service: Uses sc.exe to create 'MixedSvc' (Windows Mixed Reality Service)"] rules_for_persistence("<b>Rule Name</b>: Suspicious Service Creation for Persistence (via system)<br/><b>Rule ID</b>: 806016e5-93a7-428b-977a-0ec95d1f6b49") step_privilege_escalation["T1548.004 u2013 Abuse Elevation Control Mechanism: Elevated Execution with Prompt: Attempting to trigger UAC prompt via 'runas' verb"] step_defense_evasion["T1562.001 u2013 Impair Defenses: AMSI Bypass & T1497 u2013 Virtualization/Sandbox Evasion: Patching AmsiOpenSession and performing timing checks"] step_injection["T1055.002 u2013 Process Injection: Portable Executable Injection: Injecting decrypted payload into svchost.exe"] step_reflective_loading["T1620 u2013 Reflective Code Loading: Executing .NET assembly directly in memory for fileless execution"] step_collection["T1113 u2013 Screen Capture & T1125 u2013 Video Capture: Monitoring victim and archiving data via zlib (T1560)"] step_exfiltration["T1573 u2013 Encrypted Channel & T1041 u2013 Exfiltration Over C2 Channel: Exfiltrating to ikkkkddd.com and kkxqbh.top"] step_initial_access –>|leads_to| step_user_execution step_user_execution –>|involves| step_masquerading step_masquerading –>|triggers| step_persistence step_persistence –>|enables| step_privilege_escalation step_privilege_escalation –>|leads_to| step_defense_evasion step_defense_evasion –>|precedes| step_injection step_injection –>|enables| step_reflective_loading step_reflective_loading –>|leads_to| step_collection step_collection –>|culminates_in| step_exfiltration step_persistence -.->|detected_by| rules_for_persistence "
Attack Flow
Detections
Suspicious Service Creation for Persistence (via system)
View
Operation DragonReturn C2 Communication Detection [Windows Network Connection]
View
Detect Process Injection Involving VirtualAlloc and CreateToolhelp32Snapshot [Windows Sysmon]
View
Detected Malicious Persistence via Mixed Reality Service [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary has successfully deployed a second-stage dropper. To establish persistence and receive further instructions, the malware attempts to reach out to its hardcoded C2 infrastructure. The attacker’s goal is to bypass standard web proxies by using a non-standard port (2671). The simulation will use PowerShell to mimic this behavior by attempting a TCP connection to the specific domain
kkxqbh.topon port2671, thereby generating the exactdomainandporttelemetry required by the detection rule. -
Regression Test Script:
# Simulation of DragonReturn C2 communication $C2Domain = "kkxqbh.top" $C2Port = 2671 Write-Host "[+] Attempting to simulate C2 connection to $C2Domain on port $C2Port..." try { # Using a TCP Client to initiate a connection to the specific IoCs $tcpClient = New-Object System.Net.Sockets.TcpClient $connection = $tcpClient.BeginConnect($C2Domain, $C2Port, $null, $null) # Wait for a short period to allow telemetry to be generated $success = $connection.AsyncWaitHandle.WaitOne(5000, $false) if ($success) { Write-Host "[!] Connection established (Simulated C2 Success)." } else { Write-Host "[?] Connection failed (expected if domain is inactive), but telemetry should have been generated." } $tcpClient.Close() } catch { Write-Host "[!] Error during simulation: $_" } -
Cleanup Commands:
# No persistent changes made; no cleanup required for this network-only simulation. Write-Host "[+] Simulation complete. No system changes were made."