Indian users are being targeted by phishing emails posing as Income Tax alerts, tricking them into downloading Blackmoon malware that secretly steals sensitive banking and personal data.
Saloni Kumari | Jan 27, 2026 |
Indian Users Targeted by Sophisticated Blackmoon Banking Malware Disguised as Tax Alerts
Nowadays, Indian users are being targeted in a phishing attack where hackers send fake messages or emails to trick people into clicking on malicious links. Once clicked, a hidden backdoor is installed on the victim’s device, allowing attackers to secretly access data. This attack is believed to be part of a cyber-espionage campaign aimed at spying on sensitive information, as per a report published by The Hacker News.
According to the report, the phishing messages include a ZIP file. When this file is opened and downloaded by someone, it begins a step-by-step malware attack. The key objective of this attack is to make the user download a banking virus called Blackmoon (also known as KRBanker). To hide malicious activity, this file also makes users install a real business security tool called SyncFuture TSM (Terminal Security Management), developed by a Chinese firm named Nanjing Zhongke Huasai Technology Co., Ltd.
The said activity has been identified by the cybersecurity researchers from the eSentire Threat Response Unit (TRU). Using this scam, the accused allegedly sent bogus emails acting to belong to India’s Income Tax Department. These emails made users afraid of the tax penalties imposed on them, creating urgency and fear, tricking them into quickly opening harmful attachments that can infect their devices or steal information.
In reference to the report, eSentire said, “By deploying this system as their final payload, the threat actors establish resilient persistence and gain a rich feature set to monitor victim activity and centrally manage the theft of sensitive information.” Also said, “It provides them with the tools to not only steal data but to maintain granular control over the compromised environment, monitor user activity in real time, and ensure their own persistence.”
Further stated, “By blending anti‑analysis, privilege escalation, DLL sideloading, commercial‑tool repurposing, and security‑software evasion, the threat actor demonstrates both capability and intent.”
In case of any Doubt regarding Membership you can mail us at [email protected]
Join Studycafe's WhatsApp Group or Telegram Channel for Latest Updates on Government Job, Sarkari Naukri, Private Jobs, Income Tax, GST, Companies Act, Judgements and CA, CS, ICWA, and MUCH MORE!"
