NSecRTS is a persistent Windows malware component associated with a sophisticated phishing campaign targeting Indian businesses during the Income Tax Return (ITR) filing season. The campaign impersonates the Indian Income Tax Department using spear-phishing emails, including messages with the subject "Tax Compliance Review Notice," an embedded image lure, and a malicious PDF attachment named "Review Annexure.pdf." The PDF redirects victims to a fake compliance portal, including hxxps://www.akjys.top/, which delivers a ZIP archive containing a malicious executable. The infection chain uses multi-stage NSIS installers, including digitally signed payloads, to deploy the malware.
NSecRTS.exe is installed in a hidden directory such as C:\Program Files\Common Files\NSEC and registered as a Windows service for persistence, masquerading as "Windows Real-time Protection Service." Configuration in buildin.cfg assigns NSecRTS.exe as the active process for both 32-bit and 64-bit systems. The malware runs automatically in the background and communicates with command-and-control infrastructure over non-standard ports including 48991 and 48992, with reported C2 endpoints including 154.91.84.3:48991, 154.91.84.3:48992, 154.91.84.3:3898, 45.113.192.102:80, and 103.235.46.102:80. The malware uses encrypted communications and unique victim UIDs.
Observed capabilities include persistence via Windows services, system and hardware discovery, collection of installed applications and running services, structured local storage of harvested data, and exfiltration to C2 servers. Reporting describes the broader malware as a full-featured Remote Access Trojan capable of full system compromise and long-term access. The campaign also used social engineering to instruct victims to disable antivirus protections. Technical artifacts, including Simplified Chinese language components and code-signing certificates tied to Hengshui Shenwei Technology Co., Ltd. and Shandong Anzai Information Technology CO.,Ltd., suggest a China-linked development environment, though attribution beyond that is not established in the provided content. Reported detections include PUA.NSecsoftCiR and Trojan.AgentCiR. Reported file hashes include 4001854be1ae8e12b6dda124679a4077 and F00F824FCAFBA9B26675AE8242F0B6A0.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct techniques documented for this family, organized by ATT&CK tactic.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
NSecRTS is a Remote Access Trojan (RAT) that establishes persistence on infected systems by installing itself as a service. It enables full system compromise and communicates with C2 servers over non-standard ports. The malware is distributed via spear-phishing campaigns targeting Indian businesses during the tax season and is linked to a China-based development environment.
NSecRTS is a Remote Access Trojan (RAT) deployed via a multi-stage infection chain, achieving persistence as a Windows service, harvesting system and application information, and enabling remote command execution and data exfiltration to C2 servers. It is distributed through tax-themed phishing campaigns targeting Indian businesses and shows strong links to a Chinese development environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.