Cybercriminals have adopted a new strategy by distributing fake government tax notices to deliver malware to unsuspecting Windows users. This method, targeting individuals in India, has shown alarming effectiveness in compromising systems.
Cyber Attack Strategy
The campaign mimics the Indian Income Tax Department, tricking users into downloading what appears to be an official assessment order. Once the user engages, a series of malicious activities commence, providing attackers with remote access to the infected device.
This attack involves directing victims to a fraudulent website that closely resembles genuine government portals. The site presents a fake assessment order replete with legal jargon and financial threats to incite urgency. A prominent “Download Assessment Order & Workings” button triggers the download of a malicious ZIP file disguised as official documents.
Technical Details of the Malware
Researchers from Cyfirma detected this operation, highlighting the effort to make the deception seem legitimate. The campaign uses sophisticated social engineering and a complex malware delivery chain to deceive users effectively.
Once downloaded, the ZIP file extracts a disk image named Tax_Assessment.img containing key malicious components. This leads to the installation of a Remote Access Trojan (RAT) on the victim’s Windows system, granting the attacker ongoing control and the ability to conduct surveillance, data theft, and deliver additional payloads.
Implications and Defense Measures
This cyber threat is particularly concerning because it exploits the anxiety surrounding tax season. By combining realistic branding with technical subterfuge, the attackers have crafted a trap even savvy users might fall into. The malware endangers not only individual taxpayers but also organizations whose employees might be tricked.
Once the Tax_Assessment.img file is opened, it installs two files: Tax_Assessment.exe and libsvcs.dll. The executable acts as a loader using .NET reflection to run the DLL, which contains the core malicious code. Both files are obfuscated using tools like ConfuserEx to evade detection.
The malware communicates with a hardcoded command-and-control server located in Hong Kong, using encrypted traffic to remain undetected. The fraudulent domain hosting the fake tax portal was registered in September 2025, complicating attribution efforts.
Organizations are advised to educate employees on verifying tax-related communications through official channels. Recognizing false urgency and verifying sources are critical defenses. If RAT activity is suspected, systems should be isolated, and forensic investigations initiated promptly.
Security teams must monitor unusual outbound traffic and block suspicious file executions. Awareness and education remain vital in preventing such sophisticated phishing attacks.
