Cybercriminals are now using fake government tax notices to push dangerous malware onto Windows computers, and the tactic is proving alarmingly effective.
A newly uncovered campaign targets users in India by impersonating the Income Tax Department, tricking victims into downloading what appears to be an official assessment order.
The moment someone takes the bait, a chain of malicious events begins quietly, giving attackers full remote access to the infected machine.
The attack works by directing victims to a fraudulent website that closely mimics legitimate government tax communications. The site presents a fabricated assessment order filled with tax terminology, legal references, and financial penalties designed to create urgency.
At the center sits a button labeled “Download Assessment Order & Workings,” which initiates the download of a malicious ZIP file disguised as official documentation.
Researchers at Cyfirma identified this campaign and noted the threat actor went to significant lengths to make everything appear trustworthy.
A Cyfirma said in a report shared with Cyber Security News (CSN) that the campaign leverages convincing social engineering paired with a multi-stage malware delivery chain to maximize success.
Once downloaded, the ZIP archive unpacks a disk image file named Tax_Assessment.img, which contains two core malicious components working together in a staged execution chain.
This ultimately installs a Remote Access Trojan, or RAT, on the victim’s Windows system. The end goal is to hand the attacker persistent remote control over the device, enabling surveillance, data theft, and further payload delivery.
The campaign is particularly alarming because it exploits the anxiety many people feel around tax compliance season. By combining realistic government branding with technical evasion, the attackers built a lure that can fool even cautious users.
The malware poses a serious threat to both individual taxpayers and organizations whose employees fall victim.
Fake Income Tax Assessment Notice
Once Tax_Assessment.img is opened, it drops two files onto the system: Tax_Assessment.exe and libsvcs.dll.
The executable is a loader that uses .NET reflection to load and run the DLL without holding the core malicious code itself. Both files were protected using ConfuserEx, an obfuscation tool that scrambles code to hinder detection by security software.
The loader hides its console window, modifies registry settings, and uses spoofed metadata to blend in with legitimate Windows components.
The DLL payload disguises itself as “Runtime Service Host” by Microsoft Corporation, a fake identity designed to avoid raising red flags with tools or users.
This level of disguise shows how carefully the threat actor engineered the malware to stay hidden throughout the infection process.
The DLL carries full RAT capabilities, including startup registration, scheduled task creation, system information collection, user activity monitoring, and encrypted communication back to the attacker.
Its behavior closely matches the XWorm RAT family, a commodity tool popular among financially motivated actors. This flexibility makes the malware well-suited for long-term unauthorized access to any machine it compromises.
Encrypted C2 Communication and Attacker Infrastructure
The malware communicates with a hardcoded command-and-control server at 103.231.12.27 over port 4444, geolocated in Hong Kong.
All traffic is encrypted using a 32-byte key embedded in the malicious DLL, making interception extremely difficult without prior knowledge of the key.
The fraudulent domain harivo[.]vip, which hosted the fake tax portal, was registered in September 2025 and is tied to the same Hong Kong-based infrastructure.
Cyfirma assesses the campaign as the work of a financially motivated actor, though firm attribution remains unconfirmed. Using third-party regional hosting is a common method attackers use to obscure their true origin.
Security teams should monitor outbound traffic to unknown external IPs and block execution of files delivered through downloaded archives or mounted disk images.
Organizations should train employees to verify tax-related communications through official government portals before downloading anything.
Recognizing urgent compliance messages and fake government prompts remains one of the most practical defenses available.
If RAT activity is confirmed, incident response teams should isolate the affected system immediately and collect forensic artifacts for thorough investigation.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 Hash | 372d7d8ca222e03afa5970848cf88efa6a3bc5146d20398601285fc7eaea6735 | Block |
| SHA-256 Hash | f5dc1016679f54f2be22da0ff6642046f7a943410c188514b96c28d8a3b95e12 | Block |
| SHA-256 Hash | 4b5405d9acd00dd9225ffcec840a1752951be801d20ee1cab4ebde9ccd96916a | Block |
| SHA-256 Hash | 3fe29bf7e2c391d5405f8c6947cc42a6ec356fcf8455ce705dc23a156f5b450a | Block |
| MD5 Hash | 3adcf5fca3f4fe23a9b73951e20d43bc | Tax_Assessment_0609.zip |
| MD5 Hash | ba036fbf209b2dbdfec3fd3dee9b1798 | Tax_Assessment.img |
| MD5 Hash | c0796f2ee614e1711d5355ee42dcbf62 | libsvcs.dll |
| MD5 Hash | ac08e8f463e0fa4a431b74fd5d7f01a1 | Tax_Assessment.exe |
| Domain | harivo[.]vip | Fraudulent tax portal hosting malware distribution; monitor |
| IP Address | 103[.]231[.]12[.]27 | Hardcoded RAT C2 server on port 4444, geolocated Hong Kong; monitor |
| File Name | Tax_Assessment_0609.zip | Malicious ZIP archive delivering staged malware |
| File Name | Tax_Assessment.img | Malicious disk image file containing loader and DLL payload |
| File Name | Tax_Assessment.exe | PE loader executable; drops and executes libsvcs.dll |
| File Name | libsvcs.dll | Primary RAT-like DLL payload with C2, persistence, and recon capabilities |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
