Indian Income Tax-Themed Phishing Campaign Targets Local Businesses

    Monday, December 29, 2025 In: Threat Research Print

    Date: 12/29/2025

    Severity: High

    Summary

    A recent phishing campaign targeting Indian businesses leverages Income Tax Return (ITR)–related themes to appear legitimate and trustworthy. Attackers impersonate the Indian Income Tax Department (ITD) by sending fake “Tax Compliance Review Notice” emails, exploiting public concern around refund timelines. These emails initiate a multi-stage infection chain that ultimately delivers Remote Access Trojans (RATs) or infostealer malware, enabling persistent access and data theft. The campaign highlights how seasonal tax events are abused by threat actors to increase the success rate of phishing attacks against local organizations.

    Indicators of Compromise (IOC) List

    URLs/Domains

    https://www.akjys.top/

    https://154.91.84.3:48991

    https://154.91.84.3:48992

    https://154.91.84.3:3898

    IP Address

    154.91.84.3

    45.113.192.102

    103.235.46.102

    154.91.84.3

    Hash

    4001854be1ae8e12b6dda124679a4077

    F00F824FCAFBA9B26675AE8242F0B6A0

    2b43cba0dbe81a30cd71bebf52659c9bbd0958c4

    0ab21fff353d17bddedc526e7a01cf01799d2b3b

    0efdf43cfefeb88c3092bd797d91b52e850ac15faa685865d1a2fa677528100f

    be6663a5e76b6b9490316dcd2149699fa20a529819a4889c67e9dc65864531a2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://www.akjys.top/" or siteurl like "https://www.akjys.top/" or url like "https://www.akjys.top/" or domainname like "https://154.91.84.3:3898" or siteurl like "https://154.91.84.3:3898" or url like "https://154.91.84.3:3898" or domainname like "https://154.91.84.3:48991" or siteurl like "https://154.91.84.3:48991" or url like "https://154.91.84.3:48991" or domainname like "https://154.91.84.3:48992" or siteurl like "https://154.91.84.3:48992" or url like "https://154.91.84.3:48992"

    Detection Query 2 :

    dstipaddress IN ("154.91.84.3","103.235.46.102","154.91.84.3","45.113.192.102") or srcipaddress IN ("154.91.84.3","103.235.46.102","154.91.84.3","45.113.192.102")

    Detection Query 3 :

    md5hash IN ("4001854be1ae8e12b6dda124679a4077","F00F824FCAFBA9B26675AE8242F0B6A0")

    Detection Query 4 :

    sha1hash IN ("0ab21fff353d17bddedc526e7a01cf01799d2b3b","2b43cba0dbe81a30cd71bebf52659c9bbd0958c4")

    Detection Query 5 :

    sha256hash IN ("0efdf43cfefeb88c3092bd797d91b52e850ac15faa685865d1a2fa677528100f","be6663a5e76b6b9490316dcd2149699fa20a529819a4889c67e9dc65864531a2")

    Reference: 

    https://www.seqrite.com/blog/indian-income-tax-themed-phishing-campaign-targets-local-businesses/


    Tags

    MalwarePhishingFinancial ServicesRATInfostealerData Stealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.