What happened
The SyncFuture campaign used phishing emails impersonating the India Income Tax Department to deliver a multi-stage infection chain targeting residents of India in December 2025. Victims received fraudulent messages prompting them to open or download files that arrived as a ZIP archive posing as a government document review tool. Instead, the archive contained a weaponized executable that initiated staged execution, combining legitimate Microsoft-signed binaries and additional components to evade defenses and maintain persistence. eSentire researchers documented automated evasion behaviors that specifically interacted with Avast: when Avast Free Antivirus was detected, the malware simulated mouse movements and clicks to navigate the UI and add exclusions, effectively whitelisting malicious files without fully disabling the product. The operation ultimately repurposed a legitimate enterprise management platform as the final payload, enabling sustained access under the cover of valid software.
Who is affected
Individuals and organizations in India targeted by tax-themed phishing are directly affected if they execute the downloaded files. Exposure is direct on infected endpoints and potentially indirect across enterprise environments if the repurposed management platform enables broader remote administration.
Why CISOs should care
This campaign blends social engineering with defense evasion that manipulates endpoint security tooling (Avast) and relies on trusted binaries (Microsoft-signed components), reducing the effectiveness of signature-based detection. The use of legitimate enterprise management tooling increases the likelihood of persistence, lateral movement, and stealthy long-term access.
3 practical actions
- Block tax-themed payload execution paths: Quarantine inbound archives that contain executables and enforce attachment sandboxing for “government notice” and “tax penalty” lures.
- Audit AV exclusion changes: Alert on automated or unusual exclusion-list modifications in Avast and other endpoint tools, especially following email link clicks or archive opens.
- Constrain enterprise management tools: Limit installation, service creation, and outbound control traffic for remote management platforms to approved administrators and hardened management networks.