CYBERSECURITY researchers have identified an ongoing campaign that targets Indian users with a multi-stage backdoor as part of a suspected cyber espionage operation, reported on 26 January 2026. The campaign uses phishing emails that impersonate the Income Tax Department of India to coax victims into downloading a malicious archive, enabling persistent access for monitoring and data exfiltration.
The attack aims to deploy a variant of the Blackmoon banking trojan (aka KRBanker) alongside SyncFuture TSM, a legitimate enterprise tool developed by Nanjing Zhongke Huasai Technology Co., Ltd. The researchers emphasise that the campaign has not been attributed to any known threat actor or group.
The ZIP payload includes multiple files with the executable used to sideload a malicious DLL, which then fetches a next-stage payload and attempts to evade detection by masquerading as the legitimate explorer[.]exe process and by adjusting Avast’s exclusion list where possible.