Cybercriminals are exploiting tax-season anxiety by circulating fake Income Tax Department notices that push taxpayers and companies towards malware-laden downloads disguised as assessment orders and compliance documents.
The campaign uses official-looking emails and cloned tax portals to make recipients believe they are facing scrutiny over alleged violations, including concealment of income or inaccurate filings. Victims are directed to external websites that imitate government communication, where buttons labelled as assessment order downloads trigger malicious files instead of official documents.
Security researchers tracking the campaign have linked the activity to attacks active since October 2025, with fresh infrastructure flagged on 27 April 2026. The operation has focused not only on individual taxpayers but also on multinational organisations headquartered in the UK and the US with operations or subsidiaries in India, widening the risk from consumer fraud to corporate compromise.
The emails typically carry urgent language, telling recipients to review alleged tax violations within a short deadline. Some versions refer to Section 271 of the Income Tax Act, a provision associated with penalties for concealment of income or inaccurate particulars. That legal framing gives the messages a sense of authority and raises the likelihood that finance, compliance and administration staff will act quickly without independently verifying the communication.
Once users click through, they land on fake portals presented in Hindi and English, using logos, formal language and layouts designed to resemble official tax communication. One malicious domain identified in the campaign displayed the phrase “Official Tax Notice – Income Tax Department, India” and offered a button to “Download Assessment Order & Workings”. Instead of a legitimate document, the site served an archive file capable of initiating a multi-stage infection.
The malware chain shows the growing sophistication of tax-themed phishing. A Visual Basic script disguised as a notice can establish persistence on the victim’s device, create hidden folders and fetch second-stage payloads. Other samples use password-protected ZIP archives, NSIS droppers and malicious executables to deploy remote access trojans, giving attackers the ability to monitor infected machines, steal data and maintain long-term access.
One payload associated with the campaign is XRed, a backdoor malware family that has circulated for several years. It can collect usernames, device names, MAC addresses and other system information before sending the data to attacker-controlled servers. Its capabilities include keylogging, screenshot capture, command-line access, file listing, downloads and deletion, making it a serious threat to corporate networks and personal financial data.
The current activity follows a broader pattern of tax-themed cyber operations. Earlier campaigns used fake tax penalty notices to distribute Blackmoon malware and abused legitimate remote monitoring tools for persistence and data theft. Other attacks used embedded images in emails to evade text-based spam filters, fabricated document identification numbers and fake office references to make messages appear credible, and staged downloads that led users from a PDF lure to a fake compliance portal.
Attackers are also borrowing from standard fraud playbooks. Some malicious packages instruct users to disable antivirus software before opening files, falsely claiming that this step is required to use an Income Tax Department client or view protected documents. That tactic is designed to remove a key line of defence before the malware executes.
The threat has particular force because tax communication already involves deadlines, penalties and formal documentation. During filing and compliance periods, taxpayers are more likely to act on messages about refunds, assessments or mismatches in financial records. Businesses face added exposure because finance teams often handle high volumes of documents and may receive notices linked to multiple subsidiaries, vendors or employees.
Official guidance remains clear that taxpayers should not open attachments, click links or enter confidential details through unsolicited messages claiming to be from the tax department. Genuine communications should be verified only through the authenticated e-filing portal. Assessment orders and compliance notices are not delivered through random external domains or direct download links.
The campaign also underlines the need for companies to strengthen controls around tax and finance workflows. Email security filters, endpoint detection, attachment sandboxing and domain monitoring can reduce exposure, but staff awareness remains critical. Finance teams should treat unexpected notices, public webmail senders, compressed files, password-protected archives and instructions to disable security tools as warning signs.
Taxpayers who receive suspicious messages should preserve the email headers where possible, report the communication to the designated authorities, and delete the message after reporting. For organisations, the safer response is to route any tax notice through legal, finance and information-security teams before opening attachments or interacting with embedded links.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
