CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Hackers Use Fake Income Tax Assessment Pages to Infect Windows Systems

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

A new threat campaign is targeting Windows users in India by disguising malicious files as official income tax documents. Researchers have tracked the operation under the name TAX#TRIDENT, and it has shown the ability to pivot across multiple delivery methods while keeping the same convincing tax lure intact. The attack does not rely on any […] The post Hackers Use Fake Income Tax Assessment Pages to Infect Windows Systems appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Use Fake Income Tax Assessment Pages to Infect Windows Systems By Tushar Subhra Dutta May 20, 2026 A new threat campaign is targeting Windows users in India by disguising malicious files as official income tax documents. Researchers have tracked the operation under the name TAX#TRIDENT, and it has shown the ability to pivot across multiple delivery methods while keeping the same convincing tax lure intact. The attack does not rely on any technical vulnerability. It only needs the victim to believe the file is real. The campaign uses fake Indian Income Tax assessment pages built to push users into downloading what appears to be an official notice. Once someone lands on the page, they see a download button for what looks like an important government document. Behind that button is a malicious file capable of fully compromising a Windows system. Tax notices create urgency and can plausibly reach people across finance, legal, HR, or executive roles. Securonix Threat Research, in a report shared with Cyber Security News (CSN), said TAX#TRIDENT runs three separate infection chains. All three begin with the same fake tax theme but diverge after that, giving the attacker flexibility to switch routes if one gets blocked. Researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee led the analysis. What makes this campaign hard to stop is that it abuses signed, legitimate-looking software rather than obvious malicious files. Two of the three branches end with a signed remote management client called ClientSetup, giving attackers persistent access to the infected machine. Attack chain (Source – Securonix) The third branch silently enrolls the victim device into a real ManageEngine UEMS agent pointed at an attacker-controlled server. Tools relying only on file signatures can miss all three paths. The campaign continues expanding while keeping earlier delivery routes active. What shifts with each wave is the delivery route, the decoy, and the final payload. That adaptability is what makes TAX#TRIDENT a persistent threat. How Fake Tax Pages Deliver Malware The first infection path starts at zyisykm.shop, a fake Indian Income Tax site. Clicking the download button pulls a ZIP archive named Assessment Letter.zip containing a signed Windows executable that installs a full remote management client. The attacker embeds the server address directly inside the filename, so the installer reads its own name and writes that value into local configuration. After execution, the installer creates a hidden directory under a Windows system folder and drops a fake svchost.exe alongside driver files named YtMiniFilter and ytdisk. A second path uses a VBScript file called Assessment_Order.vbs, served across multiple fake tax domains, which silently relaunches, shows a decoy tax image, and installs the same ClientSetup payload in the background. Despite different domains and server values, both executables share the exact same SHA256 hash, confirming the same core payload across both chains. Defenders should not rely on domain or filename blocklists alone. Stronger behavioral signals include IP-addressed filenames, hidden directories under system folders, svchost.exe running from non-standard paths, and outbound traffic on ports 6671, 6681, and 6683. When Signed Tools Become the Weapon The third chain abandons ClientSetup entirely. A PHP-looking URL at xhxz.info/download.php returns VBScript instead of a web page, staging follow-on files from Amazon S3 buckets. One file named uacMC.png is not an image but a script that silently lowers UAC settings, removing elevation prompts before the final payload runs. The chain downloads a full ManageEngine UEMS agent and installs it quietly with no visible interface. A configuration file named DCAgentServerInfo.json points the legitimate agent to an attacker server at 202.61.160.201 on port 8383. The agent is signed and valid, but its destination is hijacked, turning a trusted enterprise tool into a silent remote access channel. Securonix recommends avoiding downloads from unsolicited tax or penalty links no matter how official they appear. Security teams should monitor script engines running files with web-style extensions, alert on svchost.exe executing from unusual directories, and flag UAC policy changes where ConsentPromptBehaviorAdmin is set to zero. Detection must focus on behavioral signals rather than hashes, since this campaign rotates infrastructure while keeping its core tactics unchanged. Indicators of Compromise (IoCs):- Type Indicator Description URL https://zyisykm.shop/ Fake Indian Income Tax assessment page (Chain 1 lure) IP Address 149.104.24.197 Resolved IP for zyisykm.shop lure page File Name Assessment Letter.zip Malicious ZIP archive delivered from lure page File Name 45.119.55.66ClientSetup.exe Chain 1 ClientSetup installer; IP embedded in filename SHA256 950AD7A33457A1A37A0797316CDD2FBAF9850F7165425274351D08B3C01ED2D8 Hash shared by both Chain 1 and Chain 2 ClientSetup executables IP Address 45.119.55.66 Chain 1 C2 server; contacted on ports 6671, 6681, 6683 File Name Assessment_Order.vbs VBScript downloader used in Chain 2 URL https://gooomld.top/ Fake tax domain serving Assessment_Order.vbs URL https://goolmor.cyou/ Fake tax domain serving Assessment_Order.vbs URL https://fgsdol.icu/ Fake tax domain serving Assessment_Order.vbs URL https://vsdnk.top/ Fake tax domain serving Assessment_Order.vbs URL https://gooomoel.shop/ Fake tax domain serving Assessment_Order.vbs URL https://tengxxi.com/216.250.104.166ClientSetup.exe Chain 2 payload download URL File Name 216.250.104.166ClientSetup.exe Chain 2 ClientSetup installer; alternate IP in filename IP Address 216.250.104.166 Chain 2 C2 server URL https://xhxz.info/download.php Chain 3 PHP-named VBScript endpoint URL https://sjdkjj23.s3.ap-southeast-1.amazonaws.com/uacMC.png S3-hosted fake PNG/VBScript UAC modifier URL https://xijkwm2.s3.ap-southeast-1.amazonaws.com/1122.vbs S3-hosted Chain 3 VBScript stage URL https://xijkwm2.s3.ap-southeast-1.amazonaws.com/8081.zip S3-hosted ManageEngine UEMS agent bundle File Name uacMC.png VBScript disguised as image; lowers UAC ConsentPromptBehaviorAdmin to 0 File Name DCAgentServerInfo.json UEMS agent configuration pointing to attacker server IP Address 202.61.160.201 Chain 3 attacker-controlled UEMS enrollment server Network 202.61.160.201:8383 UEMS agent HTTPS communication port Network 202.61.160.201:8027 UEMS recurring status/heartbeat channel Directory C:\Windows\SysWOW64\msres\ Hidden client directory created by ClientSetup Directory C:\SystemUpdates\ Chain 2 VBScript staging directory Directory C:\Users\Public\Documents\MSUpdate_* Chain 3 staging directory created by VBScript File Name YTSysConfig.ini ClientSetup runtime configuration file File Name YTSysConfig.ytf ClientSetup secondary configuration file Service Name MANC Windows service created for ClientSetup persistence Driver Name YtMiniFilter Driver installed by ClientSetup for deep system access Driver Name ytdisk Driver installed by ClientSetup for file/disk monitoring Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply Chain Attacks Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave Packagist Urges Immediate Composer Update After GitHub Actions Token Leak Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code With Root Privileges on Firewalls Latest News Cyber Security News Trapdoor Android Ad Fraud Operation Uses 455 Malicious Apps to Generate Fake Clicks Cyber Security News DevilNFC Android Malware Uses Kiosk Mode to Trap Victims During NFC Relay Attacks Cyber Security News PinTheft Linux Vulnerability Let Attackers Gain Root Access – PoC Released ANY.RUN How to Close the Most Expensive Gap in Your SOC  Cyber Security News Grafana GitHub Breach Linked to TanStack npm Supply Chain Ransomware
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗