Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – The campaign delivered a malicious attachment through an email impersonating the Income Tax Department (’email impersonating the Income Tax Department, Government of India, containing an attachment related to a tax notification’).
• [T1566.002 ] Spearphishing Link – The attachment embedded a URL that redirected victims to a lure page (‘contains an embedded URL, govtop[.]one/incometax’).
• [T1204.002 ] User Execution: Malicious File – Victims were expected to download and run the disguised ZIP/EXE payload (‘encourage recipients to open the file’ and ‘proceed with downloading and executing it’).
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The malware spawned multiple cmd.exe processes to carry out service-related actions (‘spawns multiple cmd.exe processes that leverage the Windows Service Control (sc.exe) utility’).
• [T1106 ] Native API – The malware dynamically resolved and used native Windows APIs for memory and process manipulation (‘dynamically resolve critical Windows APIs through LoadLibraryA() and GetProcAddress()’).
• [T1543.003 ] Create or Modify System Process: Windows Service – It created a malicious service for persistence (‘create a service named MixedSvc’ and ‘set to start automatically at system boot’).
• [T1547.001 ] Registry Run Keys / Startup Folder – Registry operations were used for configuration or persistence-related values (‘performs registry operations using RegOpenKeyExA(), RegCreateKeyExA(), and RegSetValueExA()’).
• [T1548.002 ] Abuse Elevation Control Mechanism: UAC Bypass / Runas – The malware relaunched itself with elevated privileges using runas (‘relaunches itself using ShellExecuteW() with the “runas” verb, triggering a UAC prompt’).
• [T1027 ] Obfuscated Files or Information – Strings were XOR-obfuscated and payloads were concealed in image files (‘DE obfuscating several strings using a simple XOR operation’ and ‘background.jpg serves as a container for embedded malicious payloads’).
• [T1140 ] Deobfuscate/Decode Files or Information – The sample decrypted strings and payloads before execution (‘decrypts an embedded .NET assembly’ and ‘applied to the extracted data’).
• [T1055 ] Process Injection – The malware injected payloads into remote processes such as svchost.exe (‘creates a remote thread within the target process’ and ‘searches specifically for svchost.exe’).
• [T1620 ] Reflective Code Loading / In-Memory Execution – The .NET assembly was loaded and executed directly from memory (‘loaded directly into memory via AppDomain::Load_3()’ and ‘fully fileless execution’).
• [T1562.001 ] Impair Defenses: AMSI Bypass – The malware patched AMSI to disable scanning (‘patches the AmsiOpenSession() function in memory’).
• [T1036 ] Masquerading – It disguised files, services, and paths as legitimate Windows/GoI components (‘Windows Mixed Reality Service’ and ‘Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip’).
• [T1497 ] Virtualization/Sandbox Evasion – The malware used timing checks and sleep-based tricks to evade sandboxes (‘detect sandbox acceleration, debugger interference, or API hooking’ and ‘sleeps forever when it believes it is running in a VM’).
• [T1082 ] System Information Discovery – The malware collected detailed host data (‘collects a wide range of host information, including the victim’s hardware identifier, username, operating system version and architecture’).
• [T1057 ] Process Discovery – It enumerated running processes to locate svchost.exe (‘enumerates running processes using CreateToolhelp32Snapshot()’).
• [T1518.001 ] Security Software Discovery – It checked installed antivirus products during victim profiling (‘installed antivirus products’).
• [T1033 ] System Owner/User Discovery – It gathered the username and privilege level (‘username’ and ‘privilege level’).
• [T1010 ] Application Window Discovery – It collected the active window title during registration (‘active window title’).
• [T1113 ] Screen Capture – Payload B included desktop capture capability for screenshots (‘capture the victim’s screen’).
• [T1005 ] Data from Local System – The malware gathered files and local data for staging/exfiltration (‘reads data from C:Windowsbackground.jpg’ and ‘collected data’).
• [T1573 ] Encrypted Channel – C2 traffic was protected using SSL/TLS (‘creates an SSL/TLS stream … indicating that all subsequent communications with the C2 server are encrypted’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – The malware used web-based C2 communication and HTTPS-like transport (‘SSL/TLS stream over the existing TCP socket’).
• [T1095 ] Non-Application Layer Protocol – The implant used raw TCP socket communication in its C2 setup (‘over the existing TCP socket’).
• [T1568 ] Dynamic Resolution – The malware repeatedly resolved domains to obtain working IPs (‘repeatedly resolving the hardcoded command-and-control (C2) domain kkxqbh.top’).
• [T1041 ] Exfiltration Over C2 Channel – Collected host data was sent through the encrypted C2 channel (‘serialized … and compresses it … then sent through the previously established TLS-encrypted communication channel’).