Operation DragonReturn: Inside the China-1exus Cyber Campaign Targeting India’s Tax Infrastructure with Stealthy DCRat Deployment + Video

Listen to this Post

Featured Image

Introduction

A sophisticated, China-1exus cyber espionage campaign codenamed “Operation DragonReturn” has been actively targeting Indian taxpayers, tax professionals, and corporate finance teams since May 18, 2026, using spear-phishing emails that impersonate India’s Income Tax Department. The attackers exploit the annual income tax filing season (AY2026-27) by cloning legitimate government utility filenames and employing a multi-stage infection chain that combines DLL sideloading, JPG-based payload concealment via steganography, and the deployment of DCRat—a powerful remote access trojan. With the latest payload variants achieving a 0/66 detection rate on VirusTotal, this campaign represents a sustained, resourced threat operation that poses significant risks to India’s financial and tax infrastructure.

Learning Objectives

  • Understand the complete infection chain of Operation DragonReturn, from spear-phishing lures to DCRat deployment
  • Master the technical analysis of DLL sideloading, JPG steganographic payload concealment, and AMSI bypass techniques
  • Learn to detect, mitigate, and defend against multi-stage RAT deployments targeting enterprise tax and finance environments

You Should Know

  1. The Spear-Phishing Vector: Tax Season Lures with Legal Precision

The attack begins with highly targeted spear-phishing emails that impersonate the Income Tax Department of India. Unlike opportunistic phishing campaigns, Operation DragonReturn demonstrates exceptional precision: the lure documents contain real legal citations, bilingual Hindi-English content consistent with genuine government memoranda, and active payload rotation. The emails create a false sense of urgency by referencing tax violations and penalties, prompting recipients to open PDF attachments containing an embedded malicious URL: “govtop[.]one/incometax”.

Upon clicking, victims are redirected to a convincing landing page that impersonates an official Office Memorandum bearing the Government of India emblem. This page instructs users to download a ZIP archive containing what appears to be a common offline tax-filing utility—the same utility legitimately provided by the Income Tax Department. This cloning of legitimate government software makes it exceptionally difficult for even security-aware users to distinguish the malicious file from the genuine one.

To detect such threats, security teams should implement email filtering rules that flag:
– Emails with embedded shortened URLs or suspicious domains (govtop[.]one)
– PDF attachments containing links rather than direct content
– Messages with urgency-inducing language about tax violations or penalties
– Sender domains that closely mimic but do not match official government domains

  1. DLL Sideloading: Abusing Windows Search Order for Stealthy Execution

The extracted ZIP archive contains a legitimate-looking executable that performs DLL sideloading—a technique that abuses Windows’ DLL search order to load a malicious library instead of the intended one. The attackers place a malicious DLL named “nvdaHelperRemote.dll” in the same directory as the legitimate executable. When the application runs, Windows loads the malicious DLL from the current directory before searching system paths, executing the attacker’s code within the context of a trusted, signed application.

This technique is particularly effective because it leverages trusted applications to bypass security solutions that primarily focus on identifying suspicious executables. The malicious DLL then injects another payload directly into memory, ensuring it operates without writing additional files to disk.

Step-by-step guide to understanding and testing DLL sideloading:

  1. Identify vulnerable applications: Use Process Monitor (ProcMon) to filter for “Path” contains “.dll” and “Result” is “NAME NOT FOUND” to find applications that attempt to load missing DLLs

  2. Create a proxy DLL: Using tools like ShellcodePack or DLL-proxying frameworks, generate a malicious DLL that exports all functions of the legitimate DLL and forwards calls to the original

  3. Place the malicious DLL: Copy the proxy DLL to the application’s directory with the same name as the missing DLL

  4. Execute the application: Run the legitimate executable—it will load your malicious DLL instead of the intended one

  5. Verify execution: Monitor with Process Explorer to confirm the DLL is loaded from your directory rather than the system path

Mitigation commands for Windows:

 Enable DLL search order mitigation
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -1ame "SafeDllSearchMode" -Value 1

Monitor DLL loading events
wevtutil qe Microsoft-Windows-Sysmon/Operational /c:10 /q:"EventID=7"

Use AppLocker to restrict DLL execution paths
 Configure via: gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker
  1. JPG Payload Concealment: Steganography in the Attack Chain

Once the malicious DLL is executed, it performs anti-analysis checks to avoid execution within sandboxed or debugging environments. It then retrieves a JPG image (“lllyd.jpg”) from a hard-coded server (204.194.48[.]250) and stores it as “C:\Windows\background.jpg”. This image file serves as a container for a secondary payload—a technique known as steganography.

The attackers embed a 504 KB DLL within the pixel data of the JPG image. The malicious code extracts this hidden DLL from the image and writes it to “C:\Program Files\Windows Media Player\nvdaHelperRemote.dll”. This stealthy approach allows the malware to conceal its payload within innocuous-looking image files, evading signature-based detection systems that scan for malicious file types.

Step-by-step guide to steganographic payload extraction (forensic analysis):

  1. Identify suspicious image files: Search for recently created JPG files in unusual locations
    Get-ChildItem -Path C:\ -Recurse -Include .jpg,.jpeg -ErrorAction SilentlyContinue | Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-7)}
    

  2. Examine file entropy: Use binwalk to detect embedded data

    binwalk -e suspicious.jpg
    

  3. Extract hidden payloads: Use steghide with common passwords or analyze raw pixel data

    steghide extract -sf suspicious.jpg
    

  4. Analyze embedded DLL: Once extracted, examine the DLL with PE analysis tools

    Check for suspicious DLLs in non-standard locations
    Get-ChildItem -Path "C:\Program Files\Windows Media Player.dll" -Recurse | Where-Object {$_.Name -1otin @("wmploc.dll","wmp.dll")}
    

Detection commands for Linux/Unix environments:

 Use exiftool to check for anomalous EXIF data
exiftool suspicious.jpg | grep -E "Comment|Description|Copyright|Artist"

Calculate entropy to detect hidden data
ent suspicious.jpg

Use foremost for file carving
foremost -t jpg suspicious.jpg

4. Persistence Mechanisms: Windows Service and UAC Bypass

After extracting the payload, the malware copies itself as “Mixed Reality.exe” and establishes persistence by creating a Windows service named “MixedSvc,” configured to start automatically on system boot. This ensures the malware survives system reboots and maintains long-term access.

Before deploying the final payload, the malware checks whether it’s running with administrative privileges. If not, it triggers a User Account Control (UAC) prompt to trick the user into running it with elevated permissions. This UAC bypass technique is critical for the malware to perform system-level operations, including disabling security controls.

Step-by-step guide to identifying and removing malicious persistence:

  1. List all Windows services and check for suspicious entries:
    Get-Service | Where-Object {$<em>.DisplayName -like "Mixed" -or $</em>.ServiceName -like "MixedSvc"}
    

2. Check service binary paths for anomalies:

wmic service get name,displayname,pathname | findstr /i "mixed"

3. Disable and delete the malicious service:

Stop-Service -1ame "MixedSvc" -Force
sc.exe delete "MixedSvc"

4. Remove the malicious executable:

Remove-Item -Path "C:\Program Files\Mixed Reality.exe" -Force

5. Check scheduled tasks and startup folders:

 Check scheduled tasks
Get-ScheduledTask | Where-Object {$_.TaskPath -like "Mixed"}

Check startup folder
Get-ChildItem -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

Linux persistence detection:

 Check systemd services
systemctl list-units --type=service | grep -i mixed

Check cron jobs
crontab -l
cat /etc/crontab

Check init scripts
ls -la /etc/init.d/
  1. DCRat Deployment: The Final Payload and Its Capabilities

The “Mixed Reality.exe” binary deploys two distinct payloads. The first is a .NET malware loader that performs anti-analysis checks, establishes persistence, disables Windows AMSI (Antimalware Scan Interface) scanning, and decrypts and loads DCRat on the infected machine. The second payload features capabilities to take screenshots and exfiltrate data to a remote server (“kkxqbh[.]top”).

DCRat (Dark Crystal Remote Access Trojan) is a C-based RAT that operates as Malware-as-a-Service (MaaS), first appearing in at least 2018 and heavily advertised on Russian cybercrime forums for approximately $7 for a two-month subscription. It is a variant of the open-source AsyncRAT with additional capabilities.

Key DCRat capabilities include:

  • Remote shell access: Execute arbitrary commands on compromised systems
  • Keylogging: Capture all keystrokes to steal credentials and sensitive information
  • File exfiltration: Steal documents, spreadsheets, and other files from the victim’s system
  • Credential theft: Extract stored credentials from browsers and applications
  • Screen capture: Take screenshots of the victim’s desktop
  • Webcam access: Unauthorized access to the victim’s webcam
  • AMSI bypass: Patch Microsoft’s Antimalware Scan Interface to evade detection
  • Process termination: Kill security and analysis processes including Taskmgr.exe, ProcessHacker.exe, MsMpEng.exe, and Taskkill.exe

Step-by-step guide to detecting DCRat infections:

1. Check for AMSI bypass indicators:

 Monitor AMSI events
wevtutil qe Microsoft-Windows-Windows Defender/Operational /c:50 /q:"EventID=5007"

2. Look for DCRat process patterns:

 Check for suspicious .NET processes
Get-Process | Where-Object {$_.ProcessName -match "aspnet_compiler|vbc|csc|installutil"} | Format-Table ProcessName,Id,StartTime
  1. Examine network connections to known DCRat C2 servers:
    Check active connections
    netstat -ano | findstr "223.26.63.40"
    netstat -ano | findstr "kkxqbh.top"
    

4. Search for DCRat files and artifacts:

 Look for DCRat-related files
Get-ChildItem -Path C:\ -Recurse -Include DcRat,dcrat,DarkCrystal -ErrorAction SilentlyContinue

Check for suspicious DLLs in Windows Media Player directory
Get-ChildItem -Path "C:\Program Files\Windows Media Player\nvdaHelperRemote.dll" -ErrorAction SilentlyContinue
  1. Monitor for C compiler usage (DCRat is written in C and uses legitimate .NET compilers):
    Log C compiler executions
    Get-WinEvent -LogName "Security" | Where-Object {$_.Message -match "csc.exe|vbc.exe"}
    

6. Infrastructure Attribution and Tactical Overlaps

Infrastructure analysis reveals the use of IP addresses belonging to ChinaNet, as well as a Chinese-language web management panel exposed by the DCRat C2 server (223.26.63[.]40). Seqrite Labs identified infrastructure and tactical overlaps with Silver Fox, a Chinese cybercrime group previously attributed to similar attacks.

The campaign demonstrates APT-style characteristics based on TTPs (Tactics, Techniques, and Procedures) that Seqrite Lab has observed in China-1exus threat clusters. The use of real legal citations, bilingual content, active payload rotation, and precise targeting of the Indian taxpayer ecosystem indicates a deliberate, resourced, and sustained threat operation.

Key indicators of compromise (IOCs) to monitor:

  • Domains: govtop[.]one, kkxqbh[.]top
  • IP addresses: 204.194.48[.]250, 223.26.63[.]40
  • Files: nvdaHelperRemote.dll, Mixed Reality.exe, lllyd.jpg, background.jpg
  • Service names: MixedSvc
  • File paths: C:\Windows\background.jpg, C:\Program Files\Windows Media Player\nvdaHelperRemote.dll

7. Defense and Mitigation Strategies

Organizations in India’s financial and tax sectors should implement the following defenses:

Email Security:

  • Deploy advanced email filtering solutions that detect spear-phishing attempts
  • Implement DMARC, SPF, and DKIM to prevent email spoofing
  • Train employees to verify sender addresses and avoid clicking on embedded URLs in PDF attachments
  • Block known malicious domains (govtop[.]one) at the network level

Endpoint Protection:

  • Enable AMSI and keep it updated to detect .NET-based malware
  • Implement application whitelisting to prevent unauthorized executables
  • Monitor for DLL sideloading attempts using Sysmon (Event ID 7 for DLL loading)
  • Disable unnecessary Windows services and restrict service creation permissions

Network Security:

  • Block outbound connections to known malicious IPs (204.194.48[.]250, 223.26.63[.]40)
  • Implement network segmentation to limit lateral movement
  • Deploy IDS/IPS signatures for DCRat C2 communication patterns
  • Monitor for anomalous outbound traffic, especially to Chinese IP ranges

Incident Response:

  • Maintain updated IOCs for rapid threat hunting
  • Implement behavioral analysis to detect unusual patterns indicative of malware presence
  • Regularly test incident response plans against RAT deployment scenarios

What Undercode Say

  • The 0/66 detection rate on VirusTotal for the latest payload variant is a stark reminder that signature-based defenses are no longer sufficient against sophisticated, well-resourced threat actors. Organizations must invest in behavioral analysis, endpoint detection and response (EDR), and proactive threat hunting to detect such zero-day threats before they cause damage.

  • The exploitation of tax filing seasons demonstrates how cyber adversaries meticulously align their operations with predictable human workflows. This campaign is not opportunistic—it is a calculated, sustained operation that weaponizes trust in government institutions during periods of heightened anxiety and urgency. Defenders must recognize that social engineering during tax season is a predictable attack vector and implement seasonal security awareness campaigns.

  • The combination of DLL sideloading and JPG steganography represents a sophisticated evasion technique that bypasses traditional file-based scanning. Security teams should shift focus from static file analysis to dynamic behavioral monitoring. The use of legitimate applications to load malicious code underscores the importance of application control and whitelisting solutions.

  • DCRat’s availability as Malware-as-a-Service for as little as $7 per two months democratizes advanced cyber capabilities. This means even low-skill threat actors can deploy sophisticated RATs with anti-analysis features, AMSI bypass, and comprehensive data theft capabilities. Defenders must assume that any organization can be targeted by such affordable, accessible malware.

  • The China-1exus attribution and infrastructure overlaps with Silver Fox highlight the interconnected nature of cyber threat actors. While attribution remains challenging, the use of Chinese-language C2 panels and IP addresses from ChinaNet provides strong indicators. Organizations operating in geopolitical hotspots must consider state-sponsored and cybercriminal threats as overlapping risks with similar TTPs.

Prediction

-1 The weaponization of tax filing seasons will become a recurring global trend, with threat actors adapting this playbook to target tax infrastructures in other countries during their respective filing periods. This campaign’s success will likely inspire copycat operations targeting the US, UK, and European tax systems within 12-18 months.

+1 The 0/66 detection rate and sophisticated evasion techniques will drive accelerated adoption of AI-powered behavioral detection and EDR solutions across India’s financial sector. Security vendors will prioritize developing AMSI bypass detection and DLL sideloading prevention mechanisms as standard features.

-1 The exposure of DCRat’s C2 infrastructure and IOCs will not significantly disrupt the operation, as threat actors actively rotate payloads and infrastructure. The campaign is likely to continue through the remainder of the tax filing season with new variants, requiring sustained vigilance and proactive threat hunting.

+1 Increased awareness of Operation DragonReturn will prompt the Indian government to enhance cybersecurity requirements for tax filing utilities and implement stronger authentication mechanisms for official communications. This could lead to the adoption of digital signatures and verified communication channels for all tax-related correspondence.

-1 The MaaS model for DCRat means that even after this campaign is disrupted, the malware will continue to be deployed through other vectors—HTML smuggling, adult content lures, and pirated software updates—making complete eradication unlikely in the near term.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mohit Hackernews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky