OPERATION DragonReturn is a cyber espionage campaign targeting Indian taxpayers and finance professionals, discovered in May 2026 by Seqrite Lab. Attackers use phishing emails impersonating the Income Tax Department to deliver malware via a fake tax notification. The malware employs tactics such as DLL sideloading and remote access trojans (specifically, DcRAT) to exfiltrate sensitive financial data, while remaining undetected by antivirus software.
The campaign is attributed to a suspected threat cluster linked to China, although definitive state attribution is complex. Organizations are urged to enhance security measures, including vigilant email filtering and updating endpoint security tools.