DcRAT

The spear phishing email carrying the malicious PDF was observed actively distributed in the wild on June 10, 2026.

The attachment contains an embedded URL, govtop[.]one/incometax . When a user clicks on the link, they are redirected to a webpage designed to appear legitimate and generate trust.

Upon execution, the malicious executable spawns multiple cmd.exe processes that leverage the Windows Service Control (sc.exe) utility to create a service named MixedSvc.

These strings are subsequently used to dynamically resolve critical Windows APIs through LoadLibraryA() and GetProcAddress(). The resolved APIs correspond to native memory management and process manipulation functions that are commonly leveraged during process injection.

By mimicking an official Income Tax Department resource, the attacker increases the likelihood that recipients will perceive the file as genuine and proceed with downloading and executing it, thereby facilitating the delivery of the malicious payload.

The service is configured to execute “C:\Program Files\Windows Media Player\Mixed Reality.exe” and is set to start automatically at system boot.

The sample also performs registry operations using RegOpenKeyExA(), RegCreateKeyExA(), and RegSetValueExA(), indicating the creation of configuration or persistence-related registry values.

Upon locating a target svchost.exe process, the malware obtains a handle with full access permissions and allocates executable memory within the remote process. The decrypted payload is written into the allocated region... Execution is then transferred to the injected code by creating a remote thread within the target process.

The service is configured to execute “C:\Program Files\Windows Media Player\Mixed Reality.exe” and is set to start automatically at system boot.

The sample also performs registry operations using RegOpenKeyExA(), RegCreateKeyExA(), and RegSetValueExA(), indicating the creation of configuration or persistence-related registry values.

If elevated privileges are not available, it relaunches itself using ShellExecuteW() with the “runas” verb, triggering a UAC prompt before terminating the original process.

The analysed function begins by DE obfuscating several strings using a simple XOR operation (^ 0x18 and ^ 0x02).

To evade suspicion, the threat actor assigns the service the display name “Windows Mixed Reality Service” and a legitimate-looking description.

Upon locating a target svchost.exe process, the malware obtains a handle with full access permissions and allocates executable memory within the remote process. The decrypted payload is written into the allocated region... Execution is then transferred to the injected code by creating a remote thread within the target process.

The malware reads background.jpg and decrypts and Extracts Payload A (~1.13 MB) Payload B (~1.15 MB).

The function sub_1800015A0() serves as an anti-analysis and environment validation routine. It performs multiple timing checks using GetTickCount64() and short sleep intervals to detect sandbox acceleration, debugger interference, or API hooking.

The decrypted assembly is copied into a SAFEARRAY and loaded directly into memory via AppDomain::Load_3(), avoiding the need to write the payload to disk.

The IdSender.SendInfo() routine collects a wide range of host information, including ... active window title ...

The IdSender.SendInfo() routine collects a wide range of host information, including the victim’s hardware identifier (HWID), username...

Following payload preparation, the malware enumerates running processes using CreateToolhelp32Snapshot() and searches specifically for svchost.exe.

The IdSender.SendInfo() routine collects a wide range of host information, including the victim’s hardware identifier (HWID), username, operating system version and architecture, executable path, malware version, privilege level... installed antivirus products... and system idle time.

The function sub_1800015A0() serves as an anti-analysis and environment validation routine. It performs multiple timing checks using GetTickCount64() and short sleep intervals to detect sandbox acceleration, debugger interference, or API hooking.

The IdSender.SendInfo() routine collects a wide range of host information, including... installed antivirus products...

Once the DLL becomes available, the malware opens and reads data from C:\Windows\background.jpg, which serves as a container for embedded malicious payloads rather than a legitimate image file.

The embedded desktop capture (dsc_*) library indicates the capability to capture the victim’s screen, while the integrated TurboJPEG library... enables rapid JPEG encoding of captured images.

The attachment contains an embedded URL, govtop[.]one/incometax . When a user clicks on the link, they are redirected to a webpage designed to appear legitimate and generate trust.

The remote endpoint resolves to 223.26.63.40:2671 , which is the active command-and-control (C2) server at the time of execution.

The function sub_140001730 ... repeatedly resolving the hardcoded command-and-control (C2) domain kkxqbh.top until a valid IP address is obtained, allowing the malware to recover automatically from temporary network outages.

The malware creates an SSL/TLS stream (System.Net.Security.SslStream) over the existing TCP socket, indicating that all subsequent communications with the C2 server are encrypted.

Before transmitting the registration data, the malware serializes the Message Pack object into a binary stream and compresses it using a ZIP-based compression routine. This compressed payload is then sent through the previously established TLS-encrypted communication channel.

It then checks whether amsi.dll is loaded and patches the AmsiOpenSession() function in memory using VirtualProtect(). By overwriting instructions within AMSI, the malware effectively disables antimalware scanning of subsequent .NET code.