China-Nexus APT Targets India With Fake Tax Assessment Campaign Using DLL Hijacking

    Date: 07/07/2026

    Severity: High

    Summary

    Researchers identified a social engineering campaign impersonating the Indian Income Tax Department to deliver the ValleyRat Remote Access Trojan (RAT) through a multi-stage infection chain involving a malicious VHDX, DLL SideLoading, and encrypted in-memory payload execution. The malware employs advanced defense-evasion techniques, including runtime string decryption, API hashing, process injection, and registry persistence, while dynamically downloading additional encrypted modules from its C2 server to extend functionality. The campaign highlights the increasing use of government-themed phishing, layered malware delivery, and fileless execution to evade detection and establish persistent remote access to compromised systems.

    Indicators of Compromise (IOC) List   

    Domain/URLs

    kjfuwyce.love

    IP Address

    103.97.131.179

    Hash

    94e6207758ec4271b1f0a08be1b8d3eb

    05c6e04d7feec7ba9c19c6a276c58560

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "kjfuwyce.love" or url like "kjfuwyce.love" or siteurl like "kjfuwyce.love"

    Detection Query 2 :

    dstipaddress IN ("103.97.131.179") or srcipaddress IN ("103.97.131.179")

    Detection Query 3 :

    md5hash IN ("05c6e04d7feec7ba9c19c6a276c58560","94e6207758ec4271b1f0a08be1b8d3eb")

    Reference:  

    https://cyberarmor.tech/blog/china-nexus-apt-india-tax-assessment-dll-hijacking


    Tags

    MalwareThreat ActorChina-NexusAPTValleyRATRATGovernment Services and FacilitiesPhishingSocial EngineeringFinancial ServicesDLLSideLoadingIndia

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags