A new campaign named “SyncFuture” has been uncovered targeting residents of India, disguising itself as a routine tax administration matter to gain long‑term access. Victims receive emails impersonating the Income Tax Department of India, often sent via SendGrid and demanding documents within 72 hours, a classic social‑engineering squeeze designed to trigger a download that initiates a multi‑stage infection chain.
The infection relies on DLL side‑loading, where a legitimate signed Microsoft application is coerced into loading a malicious DLL, with the malware later bypassing UAC and masquerading as explorer[.]exe to evade detection. It goes further by attempting to neutralise Avast Free Antivirus through automated UI interactions to add malicious files to the antivirus exclusion list, effectively whitelisting them.
The final payload is the SyncFuture Terminal Security Management System, a legitimate commercial tool from Nanjing Zhongke Huasai Technology Co., Ltd in China, repurposed to provide screen recording, file tracking and remote desktop control for persistent espionage. According to the report, the threat actor’s objective is to gain persistent, elevated access for continuous monitoring and exfiltration of sensitive information.