Key Points
- Malware campaign impersonating the Indian Ministry of Finance and Income Tax Department
- Low-volume, strategically targeted campaign predominantly spanning financial services, professional services, and corporate services sectors across UK and US businesses with entity in India
- VBS script downloads and executes malicious payload from compromised infrastructure
- Emails predominately originate from Japanese ASNs using outdated email clients and non-authenticated mail servers
Campaign Overview
The Mimecast Threat Research team has identified an ongoing malware campaign that leverages fraudulent office memorandums impersonating the Income Tax Department, Government of India. Organizations being targeted primarily contain Indian subsidiaries and have a UK or US based head office. Analysis reveals threat actors demonstrate sophisticated target selection, focusing on medium-to-large enterprises (typically 1,000+ employees) in B2B sectors, particularly financial services, professional services, and corporate administration.
Active since October 2025, this campaign employs social engineering tactics designed to exploit the urgency associated with tax compliance and potential penalties. Recipients receive emails containing links to see the various tax violations that the business has.
Key email attributes
- Japanese Infrastructure: Emails originate from IP addresses associated with Japanese Autonomous System Numbers, suggesting compromised systems or deliberate infrastructure choices to evade regional security controls.
- Legacy Email Clients: Email headers reveal the use of Foxmail and outdated versions of Microsoft Outlook (indicated by X-Mailer values), which may help bypass modern email security controls that focus on current threat patterns.
- Schema-less URLs: Malicious links sometimes appear without standard URL schemas (missing "http://" or "https://"), potentially evading basic URL filtering mechanisms.
- Unauthenticated Sending: Messages originate from mail servers requiring no authentication, a characteristic that enables easier spoofing but also provides detection opportunities.
Once the user clicks on the link, they are taken to the following page that mimic official government communications.
Please click here to read the entire article. We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
