Hackers Use Tax Phishing Emails to Deploy In-Memory Malware on Windows Systems

Hackers are using fake tax notification emails to trick Windows users into downloading dangerous multi-stage malware that runs entirely in memory, leaving almost no trace behind.

The campaign, tracked as Operation TaxShadow, has been active since at least May 20, 2026, targeting individuals by impersonating official Indian government tax authorities.

The emails are crafted to create panic, warning recipients of financial penalties and demanding action before a deadline.

The attack begins with a convincingly designed email carrying the logos and language of a legitimate Indian tax enforcement body. Victims who click the link land on a fake government website nearly identical to the real one, complete with bilingual English and Hindi text.

From there, users are prompted to download a ZIP file described as an official tax document, which is actually a fully armed malware package ready to compromise their system.

Researchers at Cyfirma identified the campaign and found it extends beyond a single region. The same infrastructure behind the Indian tax phishing pages was also hosting fake Japanese government tax portals.

Cyfirma said in a report shared with Cyber Security News (CSN) that the combination of memory-resident malware, advanced evasion, and reused infrastructure signals a mature and well-resourced threat operation.

What makes this campaign especially dangerous is not just the social engineering but what happens after the malware lands. The payload runs almost entirely in memory, writing nothing to disk, which defeats most standard antivirus tools.

The malware also maintains a persistent connection to attacker-controlled servers through traffic that blends with normal web activity.

The phishing emails passed authentication checks including SPF, DKIM, and DMARC because they were sent through a legitimate third-party email delivery service. This allowed them to bypass spam filters and reach inboxes without raising obvious red flags.

Hackers Use Tax Phishing Emails

The malicious ZIP archive contains three files working in sequence: a launcher, a loader library called SbieDll.dll, and an encrypted payload named SbieDll.bin.

The launcher prepares the environment, checks the Windows version, and installs hooks into core system functions before handing control to the loader. Each file has a dedicated role, separating functionality and limiting exposure of the final payload.

The loader, SbieDll.dll, exploits a method called DLL Search Order Hijacking. Windows checks an application’s own folder before system folders when loading libraries, so placing the malicious DLL in the right location forces Windows to load it instead of the real one.

The loader then manipulates access tokens and removes permission barriers to prepare the environment for the final stage.

The final component, SbieDll.bin, carries the core payload encrypted with a modified RC4 cipher. Once decrypted at runtime, it loads directly into memory through Reflective PE Loading, meaning no file ever touches the disk. This is why conventional security products struggle to detect this threat.

WebSocket C2 Communication and Defense Evasion

Once active, the malware connects to its command-and-control server through WebSocket connections, a method normally used by legitimate web applications.

The session starts as a standard HTTP request and upgrades to a persistent channel, making traffic appear completely normal to network monitors.

The malware also supports HTTP CONNECT, routing communications through corporate proxies to bypass enterprise network controls.

To resist analysis, the malware uses a Mersenne Twister-based engine that alters execution behavior across infections, making signature detection unreliable.

It applies Control Flow Flattening to scramble code structure and resolves Windows API calls at runtime through hashing, hiding its intent from static analysis.

Cyfirma found Chinese-language strings in the phishing page source code, including a phrase meaning “Official Tax Notice,” though researchers note this alone cannot confirm the attackers’ origin.

Cyfirma recommends ongoing security awareness training on phishing and government impersonation tactics.

Technical teams should deploy YARA and Sigma rules for DLL hijacking, reflective loading, and WebSocket C2 patterns, while enabling continuous memory monitoring to catch threats that bypass traditional defenses.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	guhxmg.com	Phishing infrastructure domain — Block
Domain	naiqja.icu	Phishing infrastructure domain — Block
Domain	zh-welcome-1xbet.com	Phishing infrastructure domain — Block
Subdomain	d.pc-weide.com	Phishing infrastructure subdomain — Block
Subdomain	taxations.cn-web-okooo.com	Phishing infrastructure subdomain — Block
Subdomain	taxations.indiagov.it.com	Government impersonation subdomain — Block
Domain	zhengfu666.com	Phishing infrastructure domain — Block
Domain	asdqxcdsa.icu	Phishing infrastructure domain — Block
Domain	appradarr.cc	Phishing infrastructure domain — Block
Domain	ws4962.com	Phishing infrastructure domain — Block
IP Address	43[.]128[.]54[.]184	C2 server address, port 1234 — Block
SHA-256	185b7a487316454da04e9cc0fe6eb370bb2955cf6096fe3e8c02c46f8989ba37	Malware sample hash — Block
SHA-256	4c9061a07d667bf7dd6f597a43a8552af2f4277b7be06d6ea138abdb668d6a49	Malware sample hash — Block
SHA-256	949acbe543fc244ffbc981ea169067da7c5792af3c3d19b2c31b3d7e19106880	Malware sample hash — Block
SHA-256	be31a63cad112723178289968ad6f93a576c5a7984099c42eec3521cdf6e5fc0	Malware sample hash — Block
SHA-256	7d87a86dbd2379ef2516c99258137cd9c25ca19c48aeb096c5332c02fcbf16d0	Malware sample hash — Block
MD5	3a8f6454927b8993aded75de0de2bd00	कर ववरण.exe (Initial launcher) — Block
MD5	e83ff54e58f0b295a392c7fc39a7d0de	SbieDll.dll (Polymorphic Loader DLL) — Block
MD5	b498256cb086a6962077cdd6d2f65327	SbieDll.bin (Encrypted Shellcode Payload) — Block

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.