Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users

Cybercriminals are now using fake government tax notices to push dangerous malware onto Windows computers, and the tactic is proving alarmingly effective.

A newly uncovered campaign targets users in India by impersonating the Income Tax Department, tricking victims into downloading what appears to be an official assessment order.

The moment someone takes the bait, a chain of malicious events begins quietly, giving attackers full remote access to the infected machine.

The attack works by directing victims to a fraudulent website that closely mimics legitimate government tax communications. The site presents a fabricated assessment order filled with tax terminology, legal references, and financial penalties designed to create urgency.

At the center sits a button labeled “Download Assessment Order & Workings,” which initiates the download of a malicious ZIP file disguised as official documentation.

Researchers at Cyfirma identified this campaign and noted the threat actor went to significant lengths to make everything appear trustworthy.

A Cyfirma said in a report shared with Cyber Security News (CSN) that the campaign leverages convincing social engineering paired with a multi-stage malware delivery chain to maximize success.

Once downloaded, the ZIP archive unpacks a disk image file named Tax_Assessment.img, which contains two core malicious components working together in a staged execution chain.

This ultimately installs a Remote Access Trojan, or RAT, on the victim’s Windows system. The end goal is to hand the attacker persistent remote control over the device, enabling surveillance, data theft, and further payload delivery.

The campaign is particularly alarming because it exploits the anxiety many people feel around tax compliance season. By combining realistic government branding with technical evasion, the attackers built a lure that can fool even cautious users.

The malware poses a serious threat to both individual taxpayers and organizations whose employees fall victim.

Fake Income Tax Assessment Notice

Once Tax_Assessment.img is opened, it drops two files onto the system: Tax_Assessment.exe and libsvcs.dll.

The executable is a loader that uses .NET reflection to load and run the DLL without holding the core malicious code itself. Both files were protected using ConfuserEx, an obfuscation tool that scrambles code to hinder detection by security software.

The loader hides its console window, modifies registry settings, and uses spoofed metadata to blend in with legitimate Windows components.

The DLL payload disguises itself as “Runtime Service Host” by Microsoft Corporation, a fake identity designed to avoid raising red flags with tools or users.

This level of disguise shows how carefully the threat actor engineered the malware to stay hidden throughout the infection process.

The DLL carries full RAT capabilities, including startup registration, scheduled task creation, system information collection, user activity monitoring, and encrypted communication back to the attacker.

Its behavior closely matches the XWorm RAT family, a commodity tool popular among financially motivated actors. This flexibility makes the malware well-suited for long-term unauthorized access to any machine it compromises.

Encrypted C2 Communication and Attacker Infrastructure

The malware communicates with a hardcoded command-and-control server at 103.231.12.27 over port 4444, geolocated in Hong Kong.

All traffic is encrypted using a 32-byte key embedded in the malicious DLL, making interception extremely difficult without prior knowledge of the key.

The fraudulent domain harivo[.]vip, which hosted the fake tax portal, was registered in September 2025 and is tied to the same Hong Kong-based infrastructure.

Cyfirma assesses the campaign as the work of a financially motivated actor, though firm attribution remains unconfirmed. Using third-party regional hosting is a common method attackers use to obscure their true origin.

Security teams should monitor outbound traffic to unknown external IPs and block execution of files delivered through downloaded archives or mounted disk images.

Organizations should train employees to verify tax-related communications through official government portals before downloading anything.

Recognizing urgent compliance messages and fake government prompts remains one of the most practical defenses available.

If RAT activity is confirmed, incident response teams should isolate the affected system immediately and collect forensic artifacts for thorough investigation.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA-256 Hash	372d7d8ca222e03afa5970848cf88efa6a3bc5146d20398601285fc7eaea6735	Block
SHA-256 Hash	f5dc1016679f54f2be22da0ff6642046f7a943410c188514b96c28d8a3b95e12	Block
SHA-256 Hash	4b5405d9acd00dd9225ffcec840a1752951be801d20ee1cab4ebde9ccd96916a	Block
SHA-256 Hash	3fe29bf7e2c391d5405f8c6947cc42a6ec356fcf8455ce705dc23a156f5b450a	Block
MD5 Hash	3adcf5fca3f4fe23a9b73951e20d43bc	Tax_Assessment_0609.zip
MD5 Hash	ba036fbf209b2dbdfec3fd3dee9b1798	Tax_Assessment.img
MD5 Hash	c0796f2ee614e1711d5355ee42dcbf62	libsvcs.dll
MD5 Hash	ac08e8f463e0fa4a431b74fd5d7f01a1	Tax_Assessment.exe
Domain	harivo[.]vip	Fraudulent tax portal hosting malware distribution; monitor
IP Address	103[.]231[.]12[.]27	Hardcoded RAT C2 server on port 4444, geolocated Hong Kong; monitor
File Name	Tax_Assessment_0609.zip	Malicious ZIP archive delivering staged malware
File Name	Tax_Assessment.img	Malicious disk image file containing loader and DLL payload
File Name	Tax_Assessment.exe	PE loader executable; drops and executes libsvcs.dll
File Name	libsvcs.dll	Primary RAT-like DLL payload with C2, persistence, and recon capabilities

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.