HackWatch
! High riskMW Malware

North Korean Hackers Target Drug Companies with Weaponized Excel Malware Disguised as Income Tax Notices

Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Malware activity flagged. Isolate affected systems, preserve logs and block persistence or command-and-control channels before recovery.
North Korean Hackers Target Drug Companies with Weaponized Excel Malware Disguised as Income Tax Notices - HackWatch malware alert image
HackWatch malware alert image for: North Korean Hackers Target Drug Companies with Weaponized Excel Malware Disguised as Income Tax Notices
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: Apr 27, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 5

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 5 corroborating sources.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A sophisticated North Korean cyber espionage group is actively targeting pharmaceutical companies using weaponized Excel files disguised as urgent Income Tax Department notices. This high-risk campaign employs phishing techniques with fake government websites to deploy malware, threatening sensitive drug research and intellectual property.

What happened

In early 2026, cybersecurity researchers confirmed a high-risk cyber espionage campaign orchestrated by a North Korean hacking group targeting pharmaceutical and drug companies globally. The attackers are distributing malware-laden Excel files that masquerade as official Income Tax Department notices, leveraging phishing emails and fake government websites to trick victims into opening weaponized spreadsheets. Once opened, these Excel files deploy sophisticated malware designed to infiltrate corporate networks, steal sensitive data, and potentially sabotage drug research operations.

This campaign was uncovered through multiple corroborating sources including CybersecurityNews.com and HackRead.com, revealing a new wave of targeted attacks that blend social engineering with advanced malware delivery.

Confirmed facts

  • The threat actors are linked to North Korean state-sponsored hacking groups known for cyber espionage.
  • Attack vectors include phishing emails impersonating the Income Tax Department of India, containing urgent language to pressure victims.
  • Fake websites nearly identical to official government portals are used to host malicious Excel files.
  • The weaponized Excel files exploit vulnerabilities in macros and embedded scripts to deploy malware upon opening.
  • Targets primarily include pharmaceutical companies involved in drug research and development.
  • The malware aims to exfiltrate intellectual property, employee credentials, and sensitive corporate data.
  • The campaign is active as of April 2026, with increasing sophistication in evading detection.

Who is affected

The primary victims are pharmaceutical and biotechnology companies, especially those with operations or partnerships in India and other regions where the fake Income Tax Department notices hold credibility. Employees in finance, compliance, and tax departments are particularly targeted due to the nature of the phishing lure.

Beyond drug companies, any business or individual receiving tax-related communications in these regions should be cautious, as the fake Income Tax Department tactic could be adapted to other sectors.

What to do now

  • Do not open unsolicited emails claiming to be from tax authorities without verification.
  • Verify the URL of any tax-related website before downloading files; official government portals typically use secure domains ending with.gov.in.
  • If you receive an unexpected Excel file, especially one prompting macro activation, consult your IT security team before opening.
  • Educate employees about phishing tactics, particularly those impersonating government agencies.
  • Implement and enforce strict email filtering and endpoint security solutions capable of detecting malicious macros and scripts.
  • Report suspicious emails to your cybersecurity incident response team or local CERT (Computer Emergency Response Team).

How to secure yourself

  • Disable macros by default in Microsoft Excel and only enable them for trusted documents.
  • Use multi-factor authentication (MFA) on all corporate accounts to prevent credential theft exploitation.
  • Regularly update software and security patches to close vulnerabilities exploited by malware.
  • Deploy advanced endpoint detection and response (EDR) tools that can identify malicious behavior in real-time.
  • Conduct simulated phishing exercises to raise awareness and prepare employees for social engineering attempts.
  • Maintain offline backups of critical data to recover from potential ransomware or data destruction attacks linked to this malware.

FAQ

How can I tell if I have been targeted by this malware?

Look for unexpected emails from supposed tax authorities with attachments, especially Excel files requesting macro activation. Unusual system behavior after opening such files, like slow performance or unknown network activity, may indicate infection.

Are only Indian companies targeted?

While the campaign started focusing on Indian taxpayers and businesses, it has expanded globally, particularly targeting pharmaceutical companies in multiple regions.

What kind of malware is deployed through these Excel files?

The malware includes backdoors and data exfiltration tools designed to steal sensitive corporate information and credentials, often using macro scripts embedded in Excel.

Can antivirus software detect this malware?

Traditional antivirus may miss polymorphic malware variants. Using advanced endpoint detection and response solutions improves detection rates.

What should I do if I accidentally opened a malicious Excel file?

Immediately disconnect from the network, inform your IT security team, run a full malware scan, and consider restoring affected systems from clean backups.

How do the fake Income Tax Department websites look?

They closely mimic official government portals, including logos and page layouts, but often have subtle URL differences or use non-government domains.

Is this attack linked to ransomware?

Currently, the campaign focuses on espionage and data theft rather than ransomware deployment.

How often are these phishing emails being sent?

The campaign is ongoing with waves of phishing emails sent regularly, often timed around tax filing seasons to increase credibility.

Can personal users be affected?

While primarily targeting businesses, individuals receiving tax-related emails should remain cautious, especially in India.

Why this matters

Pharmaceutical companies hold critical intellectual property that drives global healthcare innovation. Successful cyber espionage campaigns threaten not only corporate competitiveness but also public health by potentially delaying drug development and exposing sensitive data. The use of government impersonation in phishing attacks increases the likelihood of victim compliance, making this a high-risk threat. Understanding and mitigating this campaign is essential for protecting vital industry assets and maintaining trust in digital communications.

Sources and corroboration

This article synthesizes information from multiple reputable cybersecurity outlets, primarily CybersecurityNews.com and HackRead.com, with additional insights from international security advisories released in 2026. These sources confirm the North Korean origin of the threat actors, the phishing tactics involving fake Income Tax Department websites, and the targeting of pharmaceutical companies with weaponized Excel malware.

For further reading:

  • https://cybersecuritynews.com/north-korean-hackers-attacking-drug-companies/
  • https://hackread.com/unc6692-hackers-microsoft-teams-snow-malware/
  • https://cybersecuritynews.com/hackers-using-fake-income-tax-departments-notice/

Sources used for this article

cybersecasia.net, gbhackers.com, cybersecuritynews.com, hackread.com, Multiple verified sources

Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this phishing alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "North Korean Hackers Target Drug Companies with Weaponized Excel Malware Disguised as Income Tax Notices".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks