Listen to this Post

Introduction
A sophisticated phishing campaign impersonating the Indian Income Tax Department has been observed deploying a six-stage infection chain that culminates in two in-memory remote access trojans (RATs)—a Gh0st RAT derivative and a Quasar/AsyncRAT-family .NET payload. This campaign leverages DLL search-order hijacking, polyglot image-based payload concealment, reflective loading, and session-wide process injection to achieve stealthy, resilient access that evades traditional endpoint detection. The dual-implant architecture provides attackers with operational redundancy: if one channel is detected and blocked, the other retains access.
Learning Objectives
- Understand the complete six-stage infection chain and how each phase contributes to defense evasion
- Master the technical mechanics of DLL search-order hijacking, polyglot file concealment, and AMSI bypass
- Learn to detect, hunt for, and mitigate this threat using concrete Linux/Windows commands and threat-hunting techniques
1. The Six-Stage Infection Chain: A Deep Dive
The attack begins when victims visit fraudulent websites posing as the Indian Income Tax Department, where they are pressured with urgent compliance notices. A secondary redirection to a fake “Microsoft Edge Secure Gateway” page manufactures legitimacy before automatically downloading a ZIP archive named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip.
Stage 1 – Initial Execution: The archive contains a legitimate, digitally signed executable (COU_ITR-1_to_4_AY2026-27.exe) alongside a malicious DLL (nvdaHelperRemote.dll). Placing the malicious DLL alongside the signed binary abuses Windows’ DLL search order, causing the trusted process to load attacker-controlled code.
Stage 2 – Privilege Escalation: The initial DLL decodes shellcode in memory and spawns a downloader that elevates via a UAC runas prompt. If the process lacks administrative privileges, it triggers a UAC prompt to obtain elevated permissions.
Stage 3 – Persistence: The downloader enforces single-instance execution using global events and creates persistence as a service named `MixedSvc` with the display name “Windows Mixed Reality Service”.
Stage 4 – Payload Retrieval: The downloader fetches a polyglot file from infrastructure at `118[.]107[.]0[.]197` and saves it as C:\Windows\background.jpg. This JPG is a valid image but contains multiple encrypted payload blobs appended at distinct offsets.
Stage 5 – Reflective Loading: A staged loader reflectively maps next-stage DLLs, avoiding on-disk PE writes. An injector enumerates processes and uses `CreateRemoteThread` and `WriteProcessMemory` to inject payloads into svchost.exe.
Stage 6 – Dual Implant Deployment: A session-aware injector reassigns duplicated tokens to spawn suspended `svchost.exe` instances across all active sessions, injecting two separate payloads for every logged-in user.
Commands for Analysis
On Windows (PowerShell as Administrator):
Check for the malicious service
Get-Service -1ame "MixedSvc" | Select-Object Name, DisplayName, Status, StartType
Check for the polyglot file
Test-Path "C:\Windows\background.jpg"
Examine scheduled tasks and services for persistence
Get-ScheduledTask | Where-Object {$<em>.TaskName -like "Mixed"}
Get-WmiObject Win32_Service | Where-Object {$</em>.DisplayName -like "Mixed Reality"}
Monitor DLL loading events
Set-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-Process/Operational'; ID=7} -MaxEvents 50
On Linux (for hunting across endpoints):
If using Sysinternals strings via Wine or analyzing samples strings -1 10 nvdaHelperRemote.dll | grep -i "MixedSvc|background.jpg|118.107.0.197" YARA scanning for Gh0st RAT indicators yara -r gh0st_rules.yar /path/to/suspicious/files/
2. DLL Search-Order Hijacking: The Trusted Entry Point
This technique is the cornerstone of the initial compromise. Windows follows a specific search order when loading DLLs: the directory from which the application loaded, the system directory, the Windows directory, and then the current directory. By placing a malicious `nvdaHelperRemote.dll` in the same directory as a signed, trusted executable, the attacker ensures the legitimate binary loads the rogue library.
Why this is effective: The signed binary passes initial trust checks and may even be whitelisted by security products. The malicious DLL inherits this trust context, providing a clean execution environment that bypasses application control solutions.
Verification Commands
On Windows:
Check DLL search order for a specific executable
dumpbin /dependents COU_ITR-1_to_4_AY2026-27.exe
Monitor DLL load events using Sysmon (Event ID 7)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=7} |
Where-Object {$_.Message -like "nvdaHelperRemote"}
List all loaded DLLs in a process
tasklist /m /fi "imagename eq COU_ITR-1_to_4_AY2026-27.exe"
3. Polyglot Image Concealment: Hiding in Plain Sight
The attackers use a polyglot file—a valid JPEG image (background.jpg) that contains multiple encrypted payload blobs appended at distinct offsets. This technique serves two purposes: it passes as a benign image under casual inspection, and it allows different stages to extract components without dropping obvious artifacts.
The image file is stored at `C:\Windows\background.jpg` and serves as a container for secondary payloads. From this image, a 504 KB DLL is extracted and written to C:\Program Files\Windows Media Player\nvdaHelperRemote.dll.
Extraction and Analysis
On Linux (using dd and binwalk):
Analyze the polyglot file structure binwalk -e C:\Windows\background.jpg Extract embedded data at specific offsets dd if=background.jpg of=payload.bin bs=1 skip=OFFSET count=LENGTH Check for embedded PE files strings -1 8 background.jpg | grep -i "MZ|PE|dll|exe"
On Windows (PowerShell):
Check file type and embedded strings
Get-Content -Path "C:\Windows\background.jpg" -Encoding Byte -TotalCount 1000 | Format-Hex
Use .NET to read embedded payloads
[System.IO.File]::ReadAllBytes("C:\Windows\background.jpg") |
Select-Object -Skip OFFSET -First LENGTH |
Set-Content -Path "extracted_payload.bin" -Encoding Byte
4. In-Memory Execution and AMSI Bypass
The campaign avoids writing payloads to disk by using reflective loading—a technique that maps DLLs directly into memory without using the Windows loader. The .NET Quasar/AsyncRAT-family payload is delivered via an AES-encrypted assembly that is decrypted in memory, AMSI-patched, and hosted directly by the native process’ CLR.
AMSI Bypass Technique: The malware patches the Antimalware Scan Interface to prevent detection of in-memory .NET payloads. This allows the .NET CLR to be hosted from native code, sidestepping standard managed-code detection paths.
Detection Commands
On Windows (PowerShell with AMSI logging enabled):
Enable AMSI logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AMSI" -1ame "EnableLogging" -Value 1
Monitor AMSI events (Event ID 1116)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1116} -MaxEvents 50
Check for AMSI patches in memory
$process = Get-Process -1ame "svchost" | Select-Object -First 1
$modules = $process.Modules | Where-Object {$_.ModuleName -like "amsi"}
$modules | Format-Table ModuleName, FileName, Size
- The Dual RAT Implants: Gh0st RAT and AsyncRAT
Gh0st RAT Derivative: Connects to `kkxqbh[.]top:6666` and runs fully in memory. It reflectively loads zlib, CameraUtil.dll, libturbojpeg, and a custom VTCP.dll to implement:
– Screen capture with JPEG encoding pipeline
– Reverse shell access
– File operations
– Robust C2 framing (6-byte sync + 4-byte length, zlib compression)
Quasar/AsyncRAT-Family .NET Payload: Connects to `ouewop[.]com:6351` and uses Quasar-style PBKDF2-derived configuration with encrypted config blobs. Capabilities include:
– Remote desktop control
– Keylogging
– Credential harvesting
– File system manipulation
C2 Detection Commands
On Windows (network monitoring):
Check for active connections to malicious C2
Get-1etTCPConnection | Where-Object {$_.RemoteAddress -match "kkxqbh.top|ouewop.com|118.107.0.197"}
Monitor DNS queries for suspicious domains
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DNS-Client/Operational'; ID=3008} -MaxEvents 100 |
Where-Object {$_.Message -match "kkxqbh|ouewop"}
Block C2 domains via hosts file
Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "127.0.0.1 kkxqbh.top"
Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "127.0.0.1 ouewop.com"
On Linux (network analysis):
Check for connections to malicious IPs sudo netstat -tunap | grep -E "6666|6351|118.107.0.197" DNS query monitoring sudo tcpdump -i any port 53 -1 | grep -E "kkxqbh|ouewop" Block C2 IPs with iptables sudo iptables -A OUTPUT -d 118.107.0.197 -j DROP sudo iptables -A OUTPUT -d kkxqbh.top -j DROP
6. Threat Hunting and Detection Strategies
The campaign’s sophisticated evasion techniques require proactive threat hunting rather than reliance on signature-based alerts.
Key Artifacts to Hunt
| Artifact | Location/Value |
|-|-|
| Service Name | `MixedSvc` |
| Display Name | “Windows Mixed Reality Service” |
| Polyglot File | `C:\Windows\background.jpg` |
| Malicious DLL | `nvdaHelperRemote.dll` |
| C2 Domains | `kkxqbh[.]top`, `ouewop[.]com` |
| C2 IP/Port | 118[.]107[.]0[.]197, port 6666, 6351 |
Hunting Commands
On Windows (Sysmon and Event Logs):
Hunt for service creation (Event ID 7045)
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} |
Where-Object {$_.Message -like "MixedSvc"}
Hunt for process injection (Sysmon Event ID 8)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=8} |
Where-Object {$_.Message -like "svchost.exe"}
Hunt for reflective loading indicators
Get-Process | Where-Object {$_.Modules.FileName -like "unknown"} | Format-Table ProcessName, ID
On Linux (cross-platform EDR queries):
Search for indicators across mounted Windows drives
find /mnt/windows -1ame "background.jpg" -exec ls -la {} \;
find /mnt/windows -1ame "nvdaHelperRemote.dll" -exec strings {} \; | grep -i "MixedSvc"
Check for suspicious service configurations
grep -r "MixedSvc" /mnt/windows/Windows/System32/config/
7. Mitigation and Hardening Recommendations
Application Control: Implement Windows Defender Application Control (WDAC) or AppLocker to restrict which executables and DLLs can run.
DLL Search Order Mitigation: Set `CWDIllegalInDllSearch` registry key to prevent applications from loading DLLs from the current working directory.
Registry mitigation for DLL search-order hijacking New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -1ame "CWDIllegalInDllSearch" -Value 1 -PropertyType DWord -Force
AMSI Hardening: Ensure AMSI is enabled and logging is active across all endpoints.
Enable AMSI in PowerShell 5.0+ Set-MpPreference -EnableAMSI $true Set-MpPreference -DisableRealtimeMonitoring $false
Network Controls: Block outbound connections to known malicious C2 infrastructure at the firewall level.
Windows Firewall rules to block C2 New-1etFirewallRule -DisplayName "Block Gh0st RAT C2" -Direction Outbound -RemoteAddress "118.107.0.197" -Action Block New-1etFirewallRule -DisplayName "Block AsyncRAT C2" -Direction Outbound -RemoteAddress "kkxqbh.top","ouewop.com" -Action Block
What Undercode Say
Key Takeaway 1: The dual-implant architecture (Gh0st RAT + AsyncRAT) represents a deliberate operational security design that provides attackers with redundancy and different detection profiles—if one implant is identified and blocked, the other remains active. This complicates incident response and requires defenders to hunt for both families simultaneously.
Key Takeaway 2: The attack chain’s reliance on fileless execution (reflective loading, AMSI patching, polyglot concealment) demonstrates that traditional file-based endpoint protection is insufficient. Organizations must invest in behavioral detection, memory analysis, and proactive threat hunting to identify these sophisticated intrusions.
Analysis: This campaign is not opportunistic—it reflects a resourced, persistent threat actor with deep understanding of Windows internals and Indian tax infrastructure. The use of bilingual content, real legal citations, and legitimate-looking government branding indicates careful targeting of the Indian taxpayer ecosystem. The infrastructure separation across multiple domains, a dedicated polyglot host, and two independent C2 servers makes disruption efforts significantly more difficult. Organizations in the financial services, NBFC, and securities sectors are particularly vulnerable due to their routine document exchange with regulators.
Prediction
-1 The sophistication of this campaign signals an escalation in tax-themed cybercrime that will likely inspire copycat attacks across other jurisdictions and government agencies. The playbook—signed binary sideloading, polyglot concealment, dual RAT deployment—is reusable and will be adopted by other threat actors.
-1 The use of legitimate QQ.com email accounts that passed SPF, DKIM, and DMARC authentication indicates that email authentication standards alone are insufficient defense. Attackers are increasingly leveraging compromised legitimate accounts to bypass sender reputation filtering.
+1 However, increased awareness and the detailed public disclosure of indicators of compromise (IOCs) will enable security vendors to develop detection signatures for this specific campaign, forcing the threat actor to retool.
-1 The six-stage infection chain’s complexity suggests that this campaign may be the work of a China-1exus group (potentially Silver Fox/Void Arachne) with ties to state-sponsored espionage objectives. The targeting of tax infrastructure and financial data points to both financial gain and intelligence collection motives.
-1 Small and medium-sized enterprises that rely solely on basic email filtering and endpoint protection are at highest risk. A significant number of compromises may go undetected until exfiltration or ransomware deployment occurs.
+1 The proactive hunting guidance provided by researchers—focusing on the fake Windows Mixed Reality Service, host artifacts, and named kernel objects—gives DFIR teams actionable pivots to identify compromises before alerts fire. Organizations that adopt these hunting practices will have a defensive advantage.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


