Operation DragonReturn: China-Nexus Campaign Targeting India's Tax Infrastructure via DcRAT

    Monday, June 29, 2026 In: Threat Research Print

    Date: 06/29/2026

    Severity: High

    Summary

    Researchers actively track and analyze threat actors and their campaigns, with a focus on attribution, infrastructure analysis, and adversary tradecraft. During our latest investigation, we identified a campaign exhibiting operational and technical characteristics consistent with a China-nexus threat cluster. The campaign shares multiple TTPs with a prominent cyber-espionage group known for targeting organizations across Asia through the deployment of RAT-based malware. 

    Indicators of Compromise (IOC) List

    Domains/URLs:

    govtop.one/incometax

    Ikkkkddd.com

    Kkxqbh.top

    IP Address:

    204.194.48.250

    118.107.0.197

    27.50.54.191

    223.26.63.40

    Hash:

    2f2f8f92af86fb962c30c4c1c9d673f9d94886373d0fcf78f8d105c051ffc643

    1787d1119cd3b40e0e5f19d62821958b7d5c2bbe0518bf1e3fb2e44fdeb4fa58

    19ca5fe04ca45a18c5bad9658ff73a8f39fe20ced78f690595f1b4c5a90af324

    2f72f4b71e33c80f122dbe5360a8d687577260567d4b59cf8c07ee2182e8ceba

    4a040770fd81d0db9e04cb8dbd2e07e61969072962bb4e736b7c7001444cc2fa

    696f6a1a0fbf7b4ff977cc36382f6d2bc6d7813ed84b0195d925d1f46c24568c

    6c774188a54ae07ae896abdf1ea6695cc29f529388888665e05322af3e9178e1

    6c9ae8a979ad18da2927ae4fdbd73d3c870ead4ea3d437656a3bdcc81b85a050

    8ed95259300ca268279867d2999d9c4f6585c6c45308635fc39af87da27546b5

    9e73cd733707e5f7c9091147b029a6974b985d6c90a9cc2cb47bc0ae8a0f9245

    c6fc06db6a1318152c09200352b40c8fa794f1089988835c1df92174347be8ec

    e6346e3087db2bfba4551fcf89d94ae49aa92dc22f0ec2b718187a96e3a3b83c

    fc17d5b4d64cb61a5aa8fb6bbe1e94885f129b2bf8ee91bca1ccca2b537f6616

    40593369e14c9ab7b5e2fd186a580dbcd790ebb902f3aedc12c92cd617302960

    ec5d4103b3d97885e9575ad045b2ef5467bf9fccf71828e418e6488d78983146

    133e4d3f1dcd99a35fec92ad13bafa3790b6d585f8ec46527fe0ae01da98ad22

    5a00485968679dc0ed6d80b659f48287603864c223e952918d2c2aaddfa2d280

    6751ad8d0aeb6ac67cd54ea42657ce1f16addc3e3111f9e60b11931ebf58e77d

    7e142c8fa614cc39d0453aa648b12209821c6bcbb77ee02094f70161b40d50ae

    879cfe23a96e822f3873fd90a37d548d7975ba0552ce28527d3d1e292000c59b

    eccff5c026a01cbe91db45cd0289f8822985aa5183f096d8add69762696d100d

    fdd9752f4bb03762828e2e2bb6ec26c5f05a664dc28e02457685ddb3650d3e95

    a8614dfad5fd2a79302a7c4829a0fed6f3a0a46b11beb28f89531cdfa83d32b3

    03d2b73ecde0575a1e5ea24d6e4f12987cc081c0bc22dadf8c4219e8e38ca6e0

    589aa1f7252cae74538343cd35443c0a8f58ed280f2016918b6e539a0c09529a

    590a75978ab33a97280be1e2ae62a2e416ada45a11bc3f1cb77c99f3eb542b4e

    5e97f7c17bf0466355be0438c7cc3e2e4d125e31368f2fbcb8e1d79cb97f137a

    8673ce317876e6c3fe868c98524a3b2ae86a79b737536b865f044a52d16a7193

    b0fcd7d9396e70b89e8292f6b80f933607b6fc9a9d3d4dd4ca69b408a2625932

    b4fb231356254426e340ab1dba50fa37a69859fc4e8a2dbdfc3e1db082006847

    c6651d6ce31c3a00357e579981d48c0da942b5bbe1582bf3d612a07dc3bc0ff6

    db946f3f2b409370d14a6e69cf029f2818985f19320fa09b63bd3268dc830b02

    34d1231a3bf1e13a9b90daecb5c74d52aea94ca54427b203d77e1adc61a5c4f9

    2c0de3d5432d5a14cb03936a460ceb633b53a51881c4fa4f3dfa87fedef2148e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "Kkxqbh.top" or url like "Kkxqbh.top" or siteurl like "Kkxqbh.top" or domainname like "Ikkkkddd.com" or url like "Ikkkkddd.com" or siteurl like "Ikkkkddd.com" or domainname like "govtop.one/incometax" or url like "govtop.one/incometax" or siteurl like "govtop.one/incometax"

    Detection Query 2 :

    dstipaddress IN ("118.107.0.197","223.26.63.40","204.194.48.250","27.50.54.191") or srcipaddress IN ("118.107.0.197","223.26.63.40","204.194.48.250","27.50.54.191")

    Detection Query 3 :

    sha256hash IN ("2f2f8f92af86fb962c30c4c1c9d673f9d94886373d0fcf78f8d105c051ffc643","4a040770fd81d0db9e04cb8dbd2e07e61969072962bb4e736b7c7001444cc2fa","40593369e14c9ab7b5e2fd186a580dbcd790ebb902f3aedc12c92cd617302960","db946f3f2b409370d14a6e69cf029f2818985f19320fa09b63bd3268dc830b02","fc17d5b4d64cb61a5aa8fb6bbe1e94885f129b2bf8ee91bca1ccca2b537f6616","6c774188a54ae07ae896abdf1ea6695cc29f529388888665e05322af3e9178e1","589aa1f7252cae74538343cd35443c0a8f58ed280f2016918b6e539a0c09529a","590a75978ab33a97280be1e2ae62a2e416ada45a11bc3f1cb77c99f3eb542b4e","879cfe23a96e822f3873fd90a37d548d7975ba0552ce28527d3d1e292000c59b","b0fcd7d9396e70b89e8292f6b80f933607b6fc9a9d3d4dd4ca69b408a2625932","2c0de3d5432d5a14cb03936a460ceb633b53a51881c4fa4f3dfa87fedef2148e","fdd9752f4bb03762828e2e2bb6ec26c5f05a664dc28e02457685ddb3650d3e95","34d1231a3bf1e13a9b90daecb5c74d52aea94ca54427b203d77e1adc61a5c4f9","19ca5fe04ca45a18c5bad9658ff73a8f39fe20ced78f690595f1b4c5a90af324","5a00485968679dc0ed6d80b659f48287603864c223e952918d2c2aaddfa2d280","eccff5c026a01cbe91db45cd0289f8822985aa5183f096d8add69762696d100d","8ed95259300ca268279867d2999d9c4f6585c6c45308635fc39af87da27546b5","7e142c8fa614cc39d0453aa648b12209821c6bcbb77ee02094f70161b40d50ae","c6fc06db6a1318152c09200352b40c8fa794f1089988835c1df92174347be8ec","6751ad8d0aeb6ac67cd54ea42657ce1f16addc3e3111f9e60b11931ebf58e77d","133e4d3f1dcd99a35fec92ad13bafa3790b6d585f8ec46527fe0ae01da98ad22","9e73cd733707e5f7c9091147b029a6974b985d6c90a9cc2cb47bc0ae8a0f9245","1787d1119cd3b40e0e5f19d62821958b7d5c2bbe0518bf1e3fb2e44fdeb4fa58","a8614dfad5fd2a79302a7c4829a0fed6f3a0a46b11beb28f89531cdfa83d32b3","03d2b73ecde0575a1e5ea24d6e4f12987cc081c0bc22dadf8c4219e8e38ca6e0","696f6a1a0fbf7b4ff977cc36382f6d2bc6d7813ed84b0195d925d1f46c24568c","c6651d6ce31c3a00357e579981d48c0da942b5bbe1582bf3d612a07dc3bc0ff6","ec5d4103b3d97885e9575ad045b2ef5467bf9fccf71828e418e6488d78983146","8673ce317876e6c3fe868c98524a3b2ae86a79b737536b865f044a52d16a7193","2f72f4b71e33c80f122dbe5360a8d687577260567d4b59cf8c07ee2182e8ceba","e6346e3087db2bfba4551fcf89d94ae49aa92dc22f0ec2b718187a96e3a3b83c","5e97f7c17bf0466355be0438c7cc3e2e4d125e31368f2fbcb8e1d79cb97f137a","6c9ae8a979ad18da2927ae4fdbd73d3c870ead4ea3d437656a3bdcc81b85a050","b4fb231356254426e340ab1dba50fa37a69859fc4e8a2dbdfc3e1db082006847")

    Reference:   

    https://www.seqrite.com/blog/operation-dragonreturn-china-nexus-cyber-espionage-campaign-targeting-govt-of-india-mof-tax-infrastructure-via-multi-stage-dcrat-deployment/ 


    Tags

    MalwareThreat ActorChina-NexusGovernment Services and FacilitiesChinaDCRATFinancial ServicesCyber EspionageAsiaIndia

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.