A newly-uncovered espionage campaign aimed at targeted individuals is using phishing emails that impersonate the Government of India.
While the campaign uses a well-known banking trojan, it appears that the goal is to establish long-term access to victims’ computers for surveillance and data collection purposes, rather than immediate financial theft.
The activity was identified by eSentire’s Threat Response Unit in early December 2025 and begins with messages designed to lure recipients into downloading a malicious archive.
The emails appear as penalty notices from the Indian government’s tax office. Once opened, the file triggers a multi-stage infection chain that investigators describe as unusually deliberate and technically mature.
Aim: "persistent, elevated access"
The research, authored by cybersecurity researcher Vishavjit Singh, says the attackers’ main goal is “persistent, elevated access” that enables continuous monitoring of a victim’s device, including user activity, file operations, and the potential exfiltration of sensitive information.
The intrusion starts by abusing a trusted Windows process to hide its entry point. Attackers run a legitimate, signed Microsoft application but “side-load” a malicious file alongside it, piggybacking on to the software that appears safe to the operating system and some security controls.
The first-stage loader also performs extensive anti-analysis checks – a common sign, Singh notes, that the bad actor anticipates defenders will investigate.
If those checks are passed, the malware calls back to attacker-controlled infrastructure to retrieve a second payload, described as a packed shellcode that unpacks itself in memory to reduce its footprint on disk.
From there, it escalates privileges and attempts to blend into normal system behavior.
The report highlights a “file-less COM-based” User Account Control bypass that grants administrator rights, along with “process masquerading” that makes the malware appear as Windows explorer.exe in monitoring tools.
Running rings around antivirus
According to Singh, a particularly targeted feature is its response to Avast Free Antivirus. When Avast is detected the malware uses an “automated mouse simulation” to navigate the security product’s interface and add attacker files to the exclusion list.
This is a tactic, he says, which is designed to keep the backdoor running without being quarantined.
Campaign "consistent with APT operations"
The next stage deploys a custom toolkit built around batch scripts to weaken system defences and install a core component as a Windows service, configured to run even in "safe" mode.
That persistence mechanism is intended to survive reboots and make clean-up more difficult.
In the final stage, the attackers deploy SyncFuture TSM, a commercial “Terminal Security Management System” developed by China-based Nanjing Zhongke Huasai Technology Co., Ltd.
While marketed as a legitimate enterprise product, eSentire says it has been repurposed here as an all-in-one surveillance framework, enabling remote screen monitoring, logging of file activity and central management of compromised machines.
eSentire said it is treating the activity as a spying operation, pointing to the abuse of legitimate enterprise software, the use of valid code-signing certificates issued between 2019 and 2024, and a complex multi-step delivery chain.
“The campaign demonstrates characteristics consistent with advanced persistent threat (APT) operations focused on long-term espionage rather than financial gain,” the report said.
TRU recommended organisations restrict unauthorized software, deploy modern endpoint detection tools, and strengthen phishing awareness training to reduce exposure.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked