Threat researchers discovered a concerning espionage operation in December 2025 that used sophisticated phishing campaigns to target Indian citizens This article explores evasion techniques malware. . The attack, known as SyncFuture, shows how hackers can use trustworthy business software to launch sophisticated malware attacks.

Attackers tricked victims into downloading malicious files with multiple stages of malicious code by sending phony emails purporting to be from India's Income Tax Department. Significant technical sophistication can be seen in the infection chain. A ZIP archive containing what looked to be a government document review tool was sent to victims who opened the files. Attack Flow (Source: Esentire) Rather, the archive contained a weaponized executable that would initiate a multi-phase attack sequence intended to take total control of compromised computers and preserve long-term access.

This campaign was discovered by entire analysts and researchers, who also documented how it employs a variety of attack strategies to circumvent security measures and create persistent access. Phishing email posing as the Indian government Notice of Tax Penalty (Source: Esentire) The threat actors used authorized Microsoft-signed binaries, automated evasion techniques, and ultimately repurposed a legitimate enterprise management platform as their final payload—a particularly concerning sign of the campaign's resources and sophistication. Automated Mouse Simulation for Avast Antivirus Evasion In particular, the SyncFuture campaign targets Avast Free Antivirus using a method that most people wouldn't anticipate from automated malware, demonstrating sophisticated detection evasion techniques.

When the malware discovered that Avast was installed on a victim's computer, it used a novel strategy to automatically navigate Avast's interface by mimicking mouse clicks and movements.

A similar-themed phishing website that mimics an Indian government tax document (Source: Esentire) This method is notable because it depicts attackers closely examining particular antivirus software. After locating the Avast detection dialog window, the malware would programmatically move the cursor to predetermined screen coordinates and select security exception-creating options. The malware successfully added itself to Avast's exclusion list, thereby whitelisting the malicious files, by mimicking human-like user actions instead of trying to completely disable the antivirus.

Game-float-core.dll's digital signature is invalid (Source: Esentire). The threat actor's tools were able to function without being discovered by the antivirus program thanks to this persistence mechanism.

The conditional logic in the batch scripts that were examined specifically checked to see if Avast was active, indicating that the attackers had carefully tested and tailored their malware for various antivirus environments. In order to accomplish their long-term espionage goals, this infection mechanism represents a significant evolution in malware sophistication, going beyond simple evasion to targeted manipulation of particular security products. Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.