Hackers Use Fake Income Tax Assessment Pages to Infect Windows Systems

A new threat campaign is targeting Windows users in India by disguising malicious files as official income tax documents.

Researchers have tracked the operation under the name TAX#TRIDENT, and it has shown the ability to pivot across multiple delivery methods while keeping the same convincing tax lure intact.

The attack does not rely on any technical vulnerability. It only needs the victim to believe the file is real.

The campaign uses fake Indian Income Tax assessment pages built to push users into downloading what appears to be an official notice.

Once someone lands on the page, they see a download button for what looks like an important government document. Behind that button is a malicious file capable of fully compromising a Windows system.

Tax notices create urgency and can plausibly reach people across finance, legal, HR, or executive roles.

Securonix Threat Research, in a report shared with Cyber Security News (CSN), said TAX#TRIDENT runs three separate infection chains.

All three begin with the same fake tax theme but diverge after that, giving the attacker flexibility to switch routes if one gets blocked. Researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee led the analysis.

What makes this campaign hard to stop is that it abuses signed, legitimate-looking software rather than obvious malicious files.

Two of the three branches end with a signed remote management client called ClientSetup, giving attackers persistent access to the infected machine.

The third branch silently enrolls the victim device into a real ManageEngine UEMS agent pointed at an attacker-controlled server. Tools relying only on file signatures can miss all three paths.

The campaign continues expanding while keeping earlier delivery routes active. What shifts with each wave is the delivery route, the decoy, and the final payload. That adaptability is what makes TAX#TRIDENT a persistent threat.

How Fake Tax Pages Deliver Malware

The first infection path starts at zyisykm.shop, a fake Indian Income Tax site. Clicking the download button pulls a ZIP archive named Assessment Letter.zip containing a signed Windows executable that installs a full remote management client.

The attacker embeds the server address directly inside the filename, so the installer reads its own name and writes that value into local configuration.

After execution, the installer creates a hidden directory under a Windows system folder and drops a fake svchost.exe alongside driver files named YtMiniFilter and ytdisk.

A second path uses a VBScript file called Assessment_Order.vbs, served across multiple fake tax domains, which silently relaunches, shows a decoy tax image, and installs the same ClientSetup payload in the background.

Despite different domains and server values, both executables share the exact same SHA256 hash, confirming the same core payload across both chains.

Defenders should not rely on domain or filename blocklists alone. Stronger behavioral signals include IP-addressed filenames, hidden directories under system folders, svchost.exe running from non-standard paths, and outbound traffic on ports 6671, 6681, and 6683.

The third chain abandons ClientSetup entirely. A PHP-looking URL at xhxz.info/download.php returns VBScript instead of a web page, staging follow-on files from Amazon S3 buckets.

One file named uacMC.png is not an image but a script that silently lowers UAC settings, removing elevation prompts before the final payload runs.

The chain downloads a full ManageEngine UEMS agent and installs it quietly with no visible interface. A configuration file named DCAgentServerInfo.json points the legitimate agent to an attacker server at 202.61.160.201 on port 8383.

The agent is signed and valid, but its destination is hijacked, turning a trusted enterprise tool into a silent remote access channel.

Securonix recommends avoiding downloads from unsolicited tax or penalty links no matter how official they appear.

Security teams should monitor script engines running files with web-style extensions, alert on svchost.exe executing from unusual directories, and flag UAC policy changes where ConsentPromptBehaviorAdmin is set to zero.

Detection must focus on behavioral signals rather than hashes, since this campaign rotates infrastructure while keeping its core tactics unchanged.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
URL	https://zyisykm.shop/	Fake Indian Income Tax assessment page (Chain 1 lure)
IP Address	149.104.24.197	Resolved IP for zyisykm.shop lure page
File Name	Assessment Letter.zip	Malicious ZIP archive delivered from lure page
File Name	45.119.55.66ClientSetup.exe	Chain 1 ClientSetup installer; IP embedded in filename
SHA256	950AD7A33457A1A37A0797316CDD2FBAF9850F7165425274351D08B3C01ED2D8	Hash shared by both Chain 1 and Chain 2 ClientSetup executables
IP Address	45.119.55.66	Chain 1 C2 server; contacted on ports 6671, 6681, 6683
File Name	Assessment_Order.vbs	VBScript downloader used in Chain 2
URL	https://gooomld.top/	Fake tax domain serving Assessment_Order.vbs
URL	https://goolmor.cyou/	Fake tax domain serving Assessment_Order.vbs
URL	https://fgsdol.icu/	Fake tax domain serving Assessment_Order.vbs
URL	https://vsdnk.top/	Fake tax domain serving Assessment_Order.vbs
URL	https://gooomoel.shop/	Fake tax domain serving Assessment_Order.vbs
URL	https://tengxxi.com/216.250.104.166ClientSetup.exe	Chain 2 payload download URL
File Name	216.250.104.166ClientSetup.exe	Chain 2 ClientSetup installer; alternate IP in filename
IP Address	216.250.104.166	Chain 2 C2 server
URL	https://xhxz.info/download.php	Chain 3 PHP-named VBScript endpoint
URL	https://sjdkjj23.s3.ap-southeast-1.amazonaws.com/uacMC.png	S3-hosted fake PNG/VBScript UAC modifier
URL	https://xijkwm2.s3.ap-southeast-1.amazonaws.com/1122.vbs	S3-hosted Chain 3 VBScript stage
URL	https://xijkwm2.s3.ap-southeast-1.amazonaws.com/8081.zip	S3-hosted ManageEngine UEMS agent bundle
File Name	uacMC.png	VBScript disguised as image; lowers UAC ConsentPromptBehaviorAdmin to 0
File Name	DCAgentServerInfo.json	UEMS agent configuration pointing to attacker server
IP Address	202.61.160.201	Chain 3 attacker-controlled UEMS enrollment server
Network	202.61.160.201:8383	UEMS agent HTTPS communication port
Network	202.61.160.201:8027	UEMS recurring status/heartbeat channel
Directory	C:WindowsSysWOW64msres	Hidden client directory created by ClientSetup
Directory	C:SystemUpdates	Chain 2 VBScript staging directory
Directory	C:UsersPublicDocumentsMSUpdate_*	Chain 3 staging directory created by VBScript
File Name	YTSysConfig.ini	ClientSetup runtime configuration file
File Name	YTSysConfig.ytf	ClientSetup secondary configuration file
Service Name	MANC	Windows service created for ClientSetup persistence
Driver Name	YtMiniFilter	Driver installed by ClientSetup for deep system access
Driver Name	ytdisk	Driver installed by ClientSetup for file/disk monitoring

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.