Mimecast’s Threat Research team has uncovered an active and highly targeted malware campaign impersonating the Indian Ministry of Finance and Income Tax Department. Active since October 2025, the operation specifically targets multinational organisations headquartered in the UK and US with operations or subsidiaries in India – delivering dangerous payloads designed for data theft and long-term system compromise.
This latest assault follows a disturbing surge in tax-related cyber frauds throughout 2025, including widespread phishing scams promising fake income tax refunds (often ₹50,000–₹60,000) that tricked victims into sharing bank details, and a November 2025 zero-day campaign that impersonated the Income Tax Department to deliver AsyncRAT malware. The Income Tax Department itself has repeatedly warned taxpayers about rising fake emails, SMS, and fraudulent websites exploiting filing season urgency.
Cybercriminals are now sending deceptive “office communications” alleging serious tax violations under Section 271(1)(c) of the Income Tax Act – claiming concealment of income or inaccurate filings. These emails create intense pressure by demanding recipients review “violations” within 72 hours via an embedded link.“These attacks are engineered to exploit the high-stakes world of corporate tax compliance,” said Nicky Choo, Vice President and General Manager, APAC at Mimecast. “Finance and compliance teams are under constant pressure, and these messages mimic exactly the kind of urgent government notice that demands immediate attention. This isn’t opportunistic spam – it’s a precision strike on cross-border organisations.”
To evade detection, attackers route emails through compromised Japanese infrastructure, use outdated mail clients like Foxmail or legacy Outlook versions, and craft links without “http://” or “https://” prefixes to bypass basic security filters. Many messages originate from unauthenticated servers, enabling easy spoofing of official government addresses.Clicking the link directs victims to a convincing fake government webpage (bilingual in Hindi and English) with a “Download Documents” button. This triggers a Visual Basic script posing as a tax notice, which silently establishes persistence, creates hidden folders, and downloads a second-stage payload – often the XRed trojan. This advanced malware enables remote control, data exfiltration, and further infections.
Highest-Risk Organisations:
- Multinationals with Indian subsidiaries or dedicated tax/compliance functions in India
- Companies headquartered in the United Kingdom or United States
- Sectors including financial services, professional services, manufacturing, and supply chain management
Malicious infrastructure includes domains such as googlevip[.]shop, dadasf[.]qpon, googleaxc[.]shop, and googlem[.]com, along with known XRed trojan file hashes.Immediate Protective Steps Recommended by Mimecast:
- Educate Teams: Reinforce that India’s Income Tax Department never initiates penalties or demands action via email links to downloadable scripts/executables. Treat any such request as fraudulent.
- Verify Independently: Always confirm unexpected notices through official government portals (incometaxindia.gov.in) or verified contact channels – never via email links or attachments.
- Threat Hunt Actively: Scan email, web, and endpoint logs for indicators like Japanese-hosted senders, schema-less URLs, suspicious VBS files, or unusual directories (e.g., C:\SystemUpdates).
Mimecast has already integrated detection signatures for this campaign across its platform and continues monitoring evolving attacker tactics. As threat actors grow more selective and context-aware, exploiting human urgency over sheer volume, organisations must prioritise employee awareness and layered email security