Originally published on satyamrastogi.com
Seqrite Labs identifies multi-stage DcRAT campaign impersonating India's Income Tax Department. Attackers exploit tax professional workflows to deliver remote access trojans capable of data exfiltration and lateral movement.
Operation DragonReturn: DcRAT Deployment via Fake ITR Utilities
Executive Summary
A China-nexus threat cluster is actively exploiting the predictable workflows of Indian tax professionals, corporate finance teams, and individual taxpayers through phishing campaigns distributing DcRAT (Dark Crystal Remote Access Trojan). Operation DragonReturn, as tracked by Seqrite Labs, demonstrates sophisticated understanding of Indian taxation cycles and organizational structures - critical operational intelligence required for high-success-rate social engineering.












