Fake Income Tax emails spreading malware trigger alert

New Delhi: Cybersecurity researchers have issued a major warning over a sophisticated phishing campaign that uses fake Income Tax Department emails to spread dangerous malware capable of giving hackers remote access to victims’ devices.

The large-scale cyber operation, reportedly linked to the SilverFox hacker group, has targeted individuals and organisations by disguising malicious emails as official tax notices. Experts say the scam has already affected users in India and later expanded to countries including Indonesia, Russia and South Africa.

Security analysts have identified the campaign as an Advanced Persistent Threat (APT) attack that relies heavily on social engineering tactics and fear-based messaging to manipulate victims into opening infected attachments.

Fake tax notices used to trick victims

According to cybersecurity experts, the phishing emails closely resemble genuine communication from tax authorities. The messages often mention tax audits, compliance violations or urgent notices requiring immediate action.

Recipients are encouraged to download attachments that are typically labelled as “tax violation lists” or compliance-related documents.

However, once the attachment is opened, malware is silently installed on the device without the user’s knowledge.

Researchers stated that the attackers have carefully designed the emails to mimic official government formatting, language and branding in order to appear legitimate and trustworthy.

The sense of urgency created through references to penalties or legal action is intended to pressure recipients into reacting quickly without verifying the authenticity of the email.

Malware gives hackers remote access

Security experts explained that the infection process used in the campaign is highly sophisticated and occurs in multiple stages.

Once the malicious attachment is opened, a modified Rust-based loader is deployed into the system. This loader then installs a powerful remote-access malware known as ValleyRAT.

The malware functions as a backdoor tool that allows cybercriminals to gain remote control over infected devices, access sensitive data, monitor activity and potentially deploy additional malicious software.

Researchers said the campaign has particularly targeted Indian organisations operating in sectors such as consulting, transportation, trade and industrial services.

Between January and February 2026 alone, more than 1,600 malicious emails linked to the campaign were reportedly identified.

Why the scam is difficult to detect

Cybersecurity professionals warn that these phishing emails are especially dangerous because they are designed to look nearly identical to genuine tax department communication.

Attackers reportedly use rotating domains and advanced multi-stage delivery methods to bypass email security filters and antivirus detection systems.

The use of official-looking templates, formal language and tax-related fear tactics significantly increases the chances of recipients falling victim to the scam.

Experts noted that many users may unknowingly install malware simply by downloading and opening attachments from suspicious emails.

Tips to identify and avoid fake tax emails

Cybersecurity experts have advised users to remain cautious while handling emails claiming to be from government departments or financial institutions.

They recommend verifying any suspicious tax notices directly through official government portals instead of clicking links or downloading attachments from emails.

Users have also been advised to avoid opening unexpected attachments, especially files requesting urgent action related to taxes, refunds or compliance issues.

Maintaining updated antivirus software, enabling email security protections and regularly updating operating systems can help reduce the risk of infection.

Organisations have additionally been urged to conduct employee awareness training to educate staff about phishing attacks and suspicious email behaviour.

Experts stressed that awareness remains one of the strongest defences against phishing scams, especially as cybercriminals continue to use increasingly sophisticated tactics to target unsuspecting users.

With cyber fraud attempts rising globally, authorities and cybersecurity firms are encouraging individuals and businesses to verify communications carefully before sharing information or downloading files.