Geopolitically Motivated Hacktivist Campaigns: Recent Coordinated Cyber Attacks Targeting Indian Corporations
In recent months, our team at Inception Cyber AI has closely monitored the evolving threat landscape targeting Indian corporations. A wave of sophisticated cyberattacks, driven by politically motivated hacktivist groups, has emerged with coordinated campaigns designed to disrupt critical operations and exfiltrate sensitive data. These groups, allegedly operating from Pakistan, are leveraging advanced social engineering techniques to increase their impact. This blog examines the technical mechanics of these attacks and provides insight into the tactics, tools, and intent behind them.
Image: Attack kill-chain
The complete kill-chain underscores the sophistication of this campaign. Threat actors engineered fraudulent websites and phishing emails that borrow heavily from authentic government communication styles—employing official seals, legal references, and structured formatting consistent with genuine tax penalty notices. These fabricated notices claim tax irregularities and pressure recipients into urgent compliance by following embedded links or downloading attached files.
Initial Lure
The attack chain is initiated through carefully targeted phishing emails sent to Indian organizations, crafted to impersonate legitimate Google Calendar invitations. The subject line is deliberately formatted to mirror authentic Google Calendar notifications, immediately lending the message a sense of legitimacy. To heighten trust, the attackers embed the recipient’s email address into the subject, creating an illusion of personalization.
Image: Email masquerades as a legitimate Google Calendar invitation
Notably, the subject and body text combine Vietnamese and English, an unusual and suspicious mix that indicates the campaign may have been repurposed from activity in another region or designed with multilingual flexibility. The theme of a “Tax Notice,” timed strategically during India’s tax filing season, further increases the likelihood that recipients will engage with the content.
The sender display name appears plausible, but the originating address is a generic Gmail account rather than an official government or corporate domain—an early but critical red flag. Header analysis reinforces this suspicion, revealing that the attacker is attempting to spoof the structure of legitimate Google Calendar invitations. When compared side-by-side with genuine calendar invites, clear deviations in header fields expose the fraudulent nature of the email.
|
Suspicious Header |
Real Header |
|
Sender: “Lịch Google” <calendar-notification@google.com> |
Sender: Google Calendar <calendar-notification@google.com> |
|
From and Reply-To is a gmail.com email address |
From and Reply-To is a google.com / organization domain |
|
Authentication-Results: SPF, DKIM, DMARC all show PASS for gmail.com domain only |
Authentication-Results: SPF, DKIM, DMARC all show PASS for google.com domain |
The email body is carefully designed to reinforce legitimacy by embedding links that appear genuine, including a Google Meet URL (meet.google.com/bbd-gcut-aim) and a Google Docs link (docs.google.com/...). These links are used as lures to convince recipients they are engaging with trusted Google services, while in reality, they serve as the pathway to the malicious payload disguised as official tax-related documents.
The Google-Meet Invite
Attached to the email is an .ics calendar invitation file (invite.ics), a standard format associated with Google Calendar events. At first glance, this attachment may seem harmless, as it simply adds an event to the calendar. However, in this campaign it is weaponized to direct victims toward external URLs, ultimately steering them to a malicious landing page.
Image: Email Attachment (Calendar Invite)
Google Docs Landing Page
The embedded Google Docs link hosts a counterfeit notice titled “Tax Compliance Deficiency and Penalty Notice.” The page content is meticulously styled to resemble an official memorandum from the Indian Income Tax Department, presented in both Hindi and English. It instructs the recipient to download additional “required documents” within 72 hours, warning that failure to comply will result in legal action under the Income Tax Act. The document includes formal formatting, government seals, and a fabricated signature block attributed to a supposed “Assistant Commissioner of Income Tax”.
Image: Google Doc Counterfeit Notice
To further obscure its origin, the attackers mask the malicious download link using a URL shortener. This indirection not only conceals the true destination but also adds a layer of evasion against basic security filters. In this campaign, the redirection chain is as follows:
|
t[.]ly/CCnnx → googlefg[.]cyou → googlehkcom[.]com |
The final destination hosts the malicious payload, completing the transition from a seemingly legitimate Google Docs page to attacker-controlled infrastructure.
Landing Page
When the victim follows the redirection chain, a browser window displays a counterfeit office memorandum purporting to be from the Income Tax Department, Government of India. The page is bilingual, written in both Hindi and English, and references Section 271(1)(c) of the Income Tax Act. Victims are instructed to submit documents within 72 hours and are presented with a “Download Documents” button to obtain the alleged requirements. This stage of the attack illustrates the convergence of social engineering, malware delivery, and exploitation of trust in government processes—strategically timed to coincide with India’s 2025 tax filing season, thereby maximizing credibility and impact.
Image: Landing Page
The deception culminates in the delivery of a compressed archive “Tax Penalty Notification.zip”, which contains a 39 MB installer masquerading as “45.119.55.66ClientSetup.exe”. Upon execution, dynamic and network telemetry confirm that the binary initiates persistent communication with its command-and-control server at 45[.]119[.]55[.]66. The malware performs system-level manipulations including file creation, registry modifications, and process injection. It leverages a configuration file (YTSysConfig.ini) to define operational parameters such as C2 addresses, encryption flags, and persistence settings.
To maintain control and evade detection, the payload spawns or masquerades as legitimate processes including MANC.exe, FSHost64.exe, svchost.exe, SMSS.exe, and sysaid.exe. Network analysis reveals use of both TCP (6671/6681) and UDP (6677) channels to receive instructions, exfiltrate information, and sustain remote access.
This chain of activity demonstrates how the campaign fuses classic social engineering with stealthy post-exploitation tactics—resulting in credential theft, system compromise, and long-term persistence across targeted organizations.
Payload
Payload metadata provides further insight into its origin. The file properties identify the language setting as Chinese. It is a signed file by “SyncFutureTec Company Limited”. The company field is populated with the name “china”, and the internal name contains Chinese characters that translate to “Setup Package Creation Tool”. These attributes strongly suggest that the malware was packaged using a Chinese-developed installer or setup creation utility. While such metadata may be deliberately falsified, the consistent use of Chinese language settings and tool references aligns with indicators observed in other campaigns originating from threat actors in the region.
Image: Payload Metadata
Payload: Runtime Configurations
The malware’s entire runtime behaviour is driven by a configuration file (YTSysConfig.ini) that is read at startup and consulted throughout execution. This single INI governs command-and-control endpoints, feature flags, persistence and stealth options, and runtime actions — effectively making the binary a generic loader whose behaviour can be changed simply by editing or replacing the config.
Image: Concise explanation of the observed configuration keys and their operational effect (YTSysConfig.ini)
The flags shape runtime behavior as:
- C2 and exfiltration: ServerIP / CenterServIP define where the implant will establish outbound TCP/UDP connections (observed on TCP 6671/6681 and UDP 6677) to receive commands and send stolen data.
- Feature toggles: FileEncrypt, RESTORE allow operators to enable/disable destructive or reversible features (e.g., encryption routines).
- Stealth / evasion: nondis, Secret, and NOSPI control the malware’s visibility (suppressing UI, avoiding system probes, and minimizing forensic artifacts).
- Installer logic / persistence: IsInstallFirst and FirstInstall guide initialization and whether persistent artifacts (services, scheduled tasks, drivers) are created. LOCALDRIVE centralizes where files/logs/configs are written.
- Operational control: noreboot prevents reboot-driven disruptions that might expose or break the implant.
The binary implements an explicit self-termination safeguard that ties directly to the configuration. At runtime the code checks a runtime flag (mapped to the kill setting). If the condition is met, the malware calls TerminateProcess(GetCurrentProcess(), ...), immediately killing its own process.
Image: Self-Termination Safeguard Code
This code shows that loader is a configuration-driven implant. The YTSysConfig.ini encodes operator intent — which features to enable, which C2 to use, what persistence and stealth measures to apply — while a built-in kill-switch provides a rapid self-termination mechanism for both operational control and anti-analysis.
Payload: Whitelisting Configurations
NETConfig.ytf is a network configuration file the malware reads to decide how to behave on the network. One of its keys, svcexclude, contains a long list of hostnames (mostly Chinese banks, payment portals and some enterprise services). When the malware inspects or intercepts web traffic, it checks destinations against that list and intentionally skips malicious actions for anything that matches. In plain terms: the file tells the malware “do not touch these sites”.
Image: Exclusion list from NETConfig.ytf
An exclusion list that favors Chinese domains, combined with Chinese language metadata in the binary, is an indicator that the tool may have been developed by Chinese speakers or at least tailored to avoid impacting Chinese infrastructure. It can be considered as a strong operational indicator that the developers considered Chinese infrastructure “out of scope” for this campaign. Seeing NETConfig.ytf with a svcexclude list is a high-confidence indicator of a targeted credential-theft.
Static Coverage:
Upon execution, the malware installs many files, creates numerous logs and spawns a persistent process named MANC.exe. This parent process then launches several child processes, including SMSS.exe, FSHost64.exe, svchost.exe etc. Despite the campaign being active in the wild for several months, many of its components continue to register low detection rates across security vendors, highlighting its stealthy nature and evasion capabilities.
Image: invite.ics attachment is not flagged as malicious by any security vendors
Image: 45.119.55.66ClientSetup.exe flagged as malicious by 8/70 security vendors
Image: MANC.exe is not flagged as malicious by any security vendors
Image: svchost.exe flagged as malicious by 15/72 security vendors.
Image: clienttool.exe flagged as malicious by 1/72 security vendors.
Multi-Layered Redirection Infrastructure: Masking Malicious Intent
The initial download link provided in the phishing email redirected users through a series of intermediary domains:
- t[.]ly/CCnnx – A URL shortening service that masks the final destination.
- https[:]//googlefg[.]cyou/ – A domain designed to appear as a legitimate Google service.
- https[:]//googlehkcom[.]com/s/CZTHbm – A further obfuscation layer leading to the final payload.
This multi-layered redirection strategy was employed to evade detection by security filters and to obscure the true nature of the malicious content.
INTENT-BASED THREAT PREVENTIONTM
Image: Threat Logs Dashboard
Our INTENT-BASED THREAT PREVENTION™ AI Platform identified and neutralized this phishing campaign in real time by correlating header anomalies with semantic intent analysis. Unlike signature-based tools that focus only on URLs or attachments, NACE™ extracts higher-order signals—such as intent, call-to-action, semantic and thematic consistency—that remain stable even when attackers rotate payloads or infrastructure.
Image: NACETM Leveraging Intent as a feature for detection
In this case, the detection engine flagged multiple anomalies:
- Sender Anomaly in Header: The email impersonated a Google Calendar invitation but was sent from a generic Gmail account (namlucthuy60@gmail.com), not from an authorized Google or corporate domain.
- Semantic Intent – Tax Notice Theme: The subject line combined a tax compliance theme with a Google Calendar invite format—an unusual pairing that signaled a social engineering lure. NACE tagged the “Tax Notice” intent, which is strongly associated with fraud campaigns during the tax filing season.
- Suspicious Call-to-Action URL: The body contained seemingly legitimate Google services (Google Meet, Google Docs), but analysis revealed that the Docs link redirected through a URL shortener to attacker-controlled domains delivering the malicious payload.
- Attachment-Based Context: The .ics calendar invitation attachment, though a standard format, contained embedded links pushing the recipient toward the malicious landing page. This mismatch between the expected behaviour of an invite and the embedded redirection was flagged as anomalous.
Contextual reasoning between these artifacts—header irregularities, sender identity mismatch, thematic anomalies, and intent-based semantic analysis—NACE™ assigned a high-confidence malicious verdict. The email was detected and blocked before the user could interact with the fake tax notice page, preventing potential malware execution and data theft.
Attribution and Geopolitical Context
The tactics and operational scale indicate a coordinated effort to disrupt Indian corporations and critical infrastructure. Attribution remains nuanced. Previous research by Cyfirma has tied similar campaigns to hacktivist groups linked with Pakistan, Indonesia and Bangladesh.
Although the malware tool exhibits clear signs of Chinese origin—such as Simplified Chinese metadata, configuration exclusions for Chinese banks, and Chinese-hosted infrastructure—the thematic targeting and phishing lures strongly align with pro-Pakistan hacktivist activity. The most plausible explanation is that these groups are leveraging Chinese-built malware and rented C2 infrastructure from cybercrime vendors (often Chinese). In effect, while the tooling points toward China, the operational intent and targeting are more consistent with Pakistan-linked actors.
Conclusion
This campaign highlights how hacktivist groups exploit tax-season urgency, trusted platforms, and rented Chinese-built tooling to target Indian corporations. While attribution is complex, the use of pro-Pakistan lures with Chinese infrastructure reflects the growing collaboration between regional hacktivists and cybercrime vendors.
Traditional IOC-based defenses are ineffective against such adaptive campaigns. Our INTENT-BASED THREAT PREVENTION™ AI Platform detected this attack by correlating sender anomalies, tax-themed semantics, and suspicious call-to-action links—stopping the phishing attempt before it reached the user. This case reinforces the importance of intent-driven detection to stay ahead of evolving threats.
Reference
[1] Digital Frontlines : India Under MultiI-Nation Hacktivist Attack, https://www.cyfir
ma.com/research/digital-frontlines-india-under-multi-nation-hacktivist-attack/