CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 24, 2026

Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users

Cybersecurity News Archived Jun 24, 2026 ✓ Full text saved

Cybercriminals are now using fake government tax notices to push dangerous malware onto Windows computers, and the tactic is proving alarmingly effective. A newly uncovered campaign targets users in India by impersonating the Income Tax Department, tricking victims into downloading what appears to be an official assessment order. The moment someone takes the bait, a […] The post Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users By Tushar Subhra Dutta June 24, 2026 Cybercriminals are now using fake government tax notices to push dangerous malware onto Windows computers, and the tactic is proving alarmingly effective. A newly uncovered campaign targets users in India by impersonating the Income Tax Department, tricking victims into downloading what appears to be an official assessment order. The moment someone takes the bait, a chain of malicious events begins quietly, giving attackers full remote access to the infected machine. The attack works by directing victims to a fraudulent website that closely mimics legitimate government tax communications. The site presents a fabricated assessment order filled with tax terminology, legal references, and financial penalties designed to create urgency. At the center sits a button labeled “Download Assessment Order & Workings,” which initiates the download of a malicious ZIP file disguised as official documentation. Researchers at Cyfirma identified this campaign and noted the threat actor went to significant lengths to make everything appear trustworthy. A Cyfirma said in a report shared with Cyber Security News (CSN) that the campaign leverages convincing social engineering paired with a multi-stage malware delivery chain to maximize success. Once downloaded, the ZIP archive unpacks a disk image file named Tax_Assessment.img, which contains two core malicious components working together in a staged execution chain. Fake portal uses official-looking branding (Source – Cyfirma) This ultimately installs a Remote Access Trojan, or RAT, on the victim’s Windows system. The end goal is to hand the attacker persistent remote control over the device, enabling surveillance, data theft, and further payload delivery. The campaign is particularly alarming because it exploits the anxiety many people feel around tax compliance season. By combining realistic government branding with technical evasion, the attackers built a lure that can fool even cautious users. The malware poses a serious threat to both individual taxpayers and organizations whose employees fall victim. Fake Income Tax Assessment Notice Once Tax_Assessment.img is opened, it drops two files onto the system: Tax_Assessment.exe and libsvcs.dll. The executable is a loader that uses .NET reflection to load and run the DLL without holding the core malicious code itself. Both files were protected using ConfuserEx, an obfuscation tool that scrambles code to hinder detection by security software. The loader hides its console window, modifies registry settings, and uses spoofed metadata to blend in with legitimate Windows components. The DLL payload disguises itself as “Runtime Service Host” by Microsoft Corporation, a fake identity designed to avoid raising red flags with tools or users. Multi-Stage Malware Delivery Chain (Source – Cyfirma) This level of disguise shows how carefully the threat actor engineered the malware to stay hidden throughout the infection process. The DLL carries full RAT capabilities, including startup registration, scheduled task creation, system information collection, user activity monitoring, and encrypted communication back to the attacker. Its behavior closely matches the XWorm RAT family, a commodity tool popular among financially motivated actors. This flexibility makes the malware well-suited for long-term unauthorized access to any machine it compromises. Encrypted C2 Communication and Attacker Infrastructure The malware communicates with a hardcoded command-and-control server at 103.231.12.27 over port 4444, geolocated in Hong Kong. All traffic is encrypted using a 32-byte key embedded in the malicious DLL, making interception extremely difficult without prior knowledge of the key. The fraudulent domain harivo[.]vip, which hosted the fake tax portal, was registered in September 2025 and is tied to the same Hong Kong-based infrastructure. Cyfirma assesses the campaign as the work of a financially motivated actor, though firm attribution remains unconfirmed. Using third-party regional hosting is a common method attackers use to obscure their true origin. Security teams should monitor outbound traffic to unknown external IPs and block execution of files delivered through downloaded archives or mounted disk images. Organizations should train employees to verify tax-related communications through official government portals before downloading anything. Recognizing urgent compliance messages and fake government prompts remains one of the most practical defenses available. If RAT activity is confirmed, incident response teams should isolate the affected system immediately and collect forensic artifacts for thorough investigation. Indicators of Compromise (IoCs):- Type Indicator Description SHA-256 Hash 372d7d8ca222e03afa5970848cf88efa6a3bc5146d20398601285fc7eaea6735 Block SHA-256 Hash f5dc1016679f54f2be22da0ff6642046f7a943410c188514b96c28d8a3b95e12 Block SHA-256 Hash 4b5405d9acd00dd9225ffcec840a1752951be801d20ee1cab4ebde9ccd96916a Block SHA-256 Hash 3fe29bf7e2c391d5405f8c6947cc42a6ec356fcf8455ce705dc23a156f5b450a Block MD5 Hash 3adcf5fca3f4fe23a9b73951e20d43bc Tax_Assessment_0609.zip MD5 Hash ba036fbf209b2dbdfec3fd3dee9b1798 Tax_Assessment.img MD5 Hash c0796f2ee614e1711d5355ee42dcbf62 libsvcs.dll MD5 Hash ac08e8f463e0fa4a431b74fd5d7f01a1 Tax_Assessment.exe Domain harivo[.]vip Fraudulent tax portal hosting malware distribution; monitor IP Address 103[.]231[.]12[.]27 Hardcoded RAT C2 server on port 4444, geolocated Hong Kong; monitor File Name Tax_Assessment_0609.zip Malicious ZIP archive delivering staged malware File Name Tax_Assessment.img Malicious disk image file containing loader and DLL payload File Name Tax_Assessment.exe PE loader executable; drops and executes libsvcs.dll File Name libsvcs.dll Primary RAT-like DLL payload with C2, persistence, and recon capabilities Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data Microsoft has urged IT Admins to Prepare for Windows 11, Version 26H2 Update FBI Warns Cybercriminals Use Traffic Distribution Systems to Redirect Users to Fraudulent Websites Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors Microsoft Entra Conditional Access Policies Can Be Bypassed Via Nested App Authentication Latest News Cyber Security News Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability Cyber Security News Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User Cyber Security News White House Orders Federal Agencies to Migrate Systems to Post-Quantum Cryptography Cyber Security News PoC Exploit Released for libssh2 Remote Code Execution Vulnerability Cyber Security News Browser-in-the-Browser Kit Uses Fake Software Errors to Deliver Malware Installers
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗