CYFIRMA has identified a malware distribution campaign leveraging a fraudulent Indian Income Tax Department-themed lure to deliver a Remote Access Trojan (RAT)-like payload to targeted users. The campaign utilizes a convincing fake tax assessment notification hosted on the domain harivo[.]vip, designed to impersonate legitimate government communication and trick victims into downloading a malicious archive containing staged malware components.
The threat actors employ social engineering techniques by presenting a fake assessment order containing tax-related terminology, legal references, compliance requirements, and financial implications to create urgency and increase victim interaction. The downloaded archive contains a malicious disk image file (Tax_Assessment.img) that delivers a PE loader (Tax_Assessment.exe) and associated payload (libsvcs.dll).
Technical analysis revealed that Tax_Assessment.exe functions as a loader responsible for initiating execution of libsvcs.dll through .NET reflection mechanisms. Both components were protected using ConfuserEx obfuscation, indicating an attempt to hinder static analysis and evade traditional security detection mechanisms. The malware also employs defense-evasion techniques, including console window hiding, registry modification, spoofed assembly metadata, and misleading file information.
Further analysis of libsvcs.dll identified capabilities consistent with a Remote Access Trojan (RAT), including persistence mechanisms, system information discovery, user activity monitoring, dynamic payload execution, and encrypted Command-and-Control (C2) communication. The malware contains hardcoded C2 infrastructure pointing to 103[.]231[.]12[.]27:4444, along with an embedded encryption key used for socket-based communication.
The observed capabilities—including modular payload loading, encrypted communication, persistence mechanisms, and remote execution functionality—indicate that the campaign is designed to establish unauthorized access to and maintain control over compromised hosts. The activity highlights the continued abuse of trusted government and financial themes to distribute malware targeting users and organizations in India.
This report analyzes a malware campaign leveraging a fraudulent Indian Income Tax Department assessment notification to distribute a RAT-like malware payload targeting Windows environments. The campaign uses the domain harivo[.]vip to host a fake tax assessment portal designed to resemble official government communication.
The attack chain begins with a social engineering lure prompting victims to download a ZIP archive (Tax_Assessment_0609.zip) containing a supposed tax assessment document. Upon extraction, the archive delivers a malicious disk image file (Tax_Assessment.img) containing multiple malware components, including a loader executable (Tax_Assessment.exe) and a malicious DLL payload (libsvcs.dll).
The malware follows a multi-stage execution approach where the initial executable acts as a loader, dynamically loading the DLL payload and transferring execution through reflection-based techniques. Subsequent analysis identified RAT-like capabilities that enable persistence, host reconnaissance, command execution, and encrypted C2 communication.
The campaign demonstrates the continued effectiveness of government-themed impersonation techniques combined with malware obfuscation and modular payload delivery to bypass user awareness and security controls.
The malware distribution campaign leverages a counterfeit Income Tax Department assessment notice to target individuals and organizations in India. The threat actors host a fraudulent tax-themed website on the domain harivo[.]vip, designed to closely imitate the appearance, language, and structure of legitimate government tax communications.
The fake portal uses official-looking branding, tax-related terminology, assessment references, and compliance instructions to establish credibility and persuade victims to download a malicious archive disguised as official assessment documentation. The campaign relies on social engineering techniques to deliver a staged malware payload, ultimately deploying RAT-like malware capable of persistence, system reconnaissance, and remote communication.
The website presents a fabricated assessment order containing taxpayer information, legal references, financial penalties, and compliance instructions to establish credibility and create a sense of urgency. Victims are encouraged to interact with a button labeled “Download Assessment Order & Workings,” which initiates the download of a malicious ZIP archive under the guise of official tax documentation.
Basic Details:
| Target Technologies | Windows Operating System, ZIP Archive |
| Threat Type | Social Engineering Campaign |
| File Types | ZIP Archive (.zip), Portable Executable (.exe disguised as image file), Dynamic Link Library (.dll) |
| Key Malware Identifiers | Tax-themed lure, fraudulent Income Tax Department assessment notice, fake assessment portal, PE loader masquerading as image file (Tax_Assessment.img), DLL side-loading mechanism (libsvcs.dll), staged malware execution (Tax_Assessment.exe) |
| Observed First | 2026-12-06 |
| Impact | Data Exfiltration |
| MD5 Hashes | Tax_Assessment_0609.zip “3adcf5fca3f4fe23a9b73951e20d43bc” Tax_Assessment.img “ba036fbf209b2dbdfec3fd3dee9b1798” libsvcs.dll “c0796f2ee614e1711d5355ee42dcbf62” Tax_ Assessment.exe “ac08e8f463e0fa4a431b74fd5d7f01a1” |
1. Government-Themed Social Engineering Campaign
2. Multi-Stage Malware Delivery Chain Identified
3. Loader and Payload Separation
4. Anti-Analysis and Defense Evasion Techniques
Observed techniques include:
5. Suspicious Metadata Manipulation
6. RAT Capabilities Identified
The malware contains functionality for:
7. Encrypted C2 Communication
Observed C2 configuration:
IP: 103[.]231[.]12.27
Port: 4444
Location: Hong Kong
Embedded 32-byte encryption key:
03 AC 67 42 16 F3 E1 5C
76 1E E1 A5 E2 55 F0 67
95 36 23 C8 B3 88 B4 45
9E 13 F9 78 D7 C8 46 F4
8. XWorm RAT-Like Behavior Observed
The combination of:
is consistent with behaviors commonly observed in XWorm RAT-like malware families.
Initial Access and Delivery
In the initial stage, download a malicious ZIP archive file named “Tax_Assessment_0609.zip” from the fraudulent website.
Upon extraction of the ZIP archive, a malicious disk image file named “Tax_Assessment.img” is revealed. This IMG file acts as a container for multiple malware-related components and serves as the next-stage package responsible for delivering and facilitating the execution of the malicious payloads on the victim’s system.
Analysis of the Disk Image File
Analysis of the “Tax_Assessment.img” file revealed the presence of two malicious components associated with the next stage of the infection chain. The first component, “Tax_Assessment.exe”, is a Portable Executable (PE) file that functions as a loader, facilitating the execution of subsequent malicious payloads. The second component, “libsvcs.dll”, is a Dynamic Link Library (DLL) that serves as the primary malware payload and is loaded and executed by the loader component during the infection process.
Suspicious File Metadata Identified
Tax_Assessment.exe revealed the original filename loader.exe. The binary contains an unusual version of metadata with Product Version/File Version: 0.0.0, which may indicate metadata tampering or incomplete build information.
Obfuscation in Tax_Assessment.exe and libsvcs.dll
The threat actor leveraged ConfuserEx to obfuscate Tax_Assessment.exe and libsvcs.dll, introducing additional complexity for analysis and obscuring malicious code paths from analysts and automated security tools.
Deobfuscated:
After deobfuscation, Tax_Assessment.exe was observed hiding its console window and modifying user registry settings. This behavior suggests defense-evasion techniques aimed at reducing visibility and supporting malicious execution.
Tax_Assessment.exe Loads libsvcs.dll via Reflection
During entry-point analysis, Tax_Assessment.exe was observed loading libsvcs.dll through Assembly.LoadFrom(). After successfully loading the assembly, the executable uses reflection to resolve the client.DllEntry class and invoke the Run method. This behavior indicates that Tax_Assessment.exe functions primarily as a loader, while the core malicious functionality resides within libsvcs.dll. The use of reflection adds an additional layer of obfuscation, making automated analysis and detection more challenging.
DLL Analysis:
Analysis of the DLL revealed modified assembly metadata intended to appear as a legitimate software component. The binary uses misleading identification details, such as “Runtime Service Host” and “Microsoft Corporation,” to blend with trusted Windows components, potentially reducing suspicion and increasing the chance of bypassing security detections.
Hardcoded C2 Infrastructure and Encrypted Communication Identified
Further analysis of the DLL revealed hardcoded Command-and-Control (C2) infrastructure, including the IP address 103[.]231[.]12[.]27 and port 4444. Additionally, the binary contains an embedded 32-byte constant likely used as a cryptographic key for socket communication, indicating the use of encrypted command-and-control (C2) traffic. The embedded encryption key identified within the binary is:
Encryption Key (32 bytes):
03 AC 67 42 16 F3 E1 5C 76 1E E1 A5 E2 55 F0 67
95 36 23 C8 B3 88 B4 45 9E 13 F9 78 D7 C8 46 F4
The combination of a hardcoded C2 endpoint, custom encrypted socket communication, and RAT-like communication patterns is consistent with behavior commonly observed in XWorm RAT-like malware families.
Note: The IP address 103[.]231[.]12[.]27 was identified as the RAT’s hardcoded C2 server, geolocated to Hong Kong.
RAT-Like Capabilities Identified Through Utility Function Analysis
Further analysis of the Utils class revealed multiple functions associated with Remote Access Trojan (RAT) functionality. The binary contains capabilities for persistence, system information gathering, remote communication setup, and payload execution. Functions such as AddToStartupAdmin, AddToStartupNonAdmin, and SetAutoRun indicate startup persistence mechanisms, while GetWindowsVersion, GetSecurityInfo, HWID, IsAdmin, and GetIdleTime support host reconnaissance.
The presence of ConnectAndSetupAsync, socket-related handling, and dynamic method invocation functionality indicates the ability to establish remote communication and execute additional code/components, including potential DLL loading. These capabilities align with behavior commonly observed in RAT malware families.
Domain Analysis
The domain harivo[.]vip, registered on 25 September 2025 through Gname.com Pte. Ltd., is hosted on 38[.]76[.]161[.]218 and uses the name servers A6.SHARE-DNS.COM and B6.SHARE-DNS.NET. The domain is geolocated in Kwai Chung, New Territories, Hong Kong, and is assessed as potentially malicious due to its recent registration.
Based on the observed tactics, techniques, and procedures (TTPs), the activity is assessed to be associated with a financially motivated threat actor or malware distribution group leveraging social engineering techniques to target users and organizations.
The use of an Income Tax Department-themed lure indicates an attempt to exploit regional trust, regulatory concerns, and tax compliance activities to increase victim interaction. The campaign demonstrates a preference for establishing unauthorized remote access, potential data theft, and long-term control over compromised systems rather than immediate destructive operations.
The adoption of a modular loader-payload architecture, ConfuserEx obfuscation, spoofed assembly metadata, encrypted C2 communication, and persistence mechanisms indicates deliberate efforts to maintain operational stealth and evade security detection.
The observed infrastructure shows a potential China/Hong Kong linkage, as both the identified C2 infrastructure (103[.]231[.]12[.]27:4444) and the malware distribution domain (harivo[.]vip) were associated with Hong Kong-based hosting/geolocation data during analysis. However, infrastructure location alone does not confirm the threat actor’s origin, as adversaries frequently use third-party hosting, compromised infrastructure, or regional services to obscure attribution.
The RAT-like capabilities, encrypted communication, and similarities to XWorm-like malware families suggest the possible use of a commodity RAT or a customized variant derived from publicly available malware frameworks. Based on current evidence, attribution to a specific threat actor remains unconfirmed.
The analyzed campaign highlights the continued evolution of government-themed malware distribution operations, where threat actors abuse trusted institutions and regulatory processes to increase victim engagement. By impersonating the Income Tax Department, the operators leverage realistic tax-related communication, assessment references, compliance language, and financial pressure tactics to create urgency and convince victims to interact with malicious content.
The campaign demonstrates a structured multi-stage infection framework beginning with a fraudulent tax notification website (harivo[.]vip) that distributes a malicious archive disguised as official assessment documentation. The infection chain utilizes a staged payload delivery mechanism involving a ZIP archive, disk image container, executable loader (Tax_Assessment.exe), and DLL-based payload (libsvcs.dll). This modular approach allows the operators to separate delivery, execution, and payload functionality, increasing operational flexibility and reducing visibility during initial compromise.
Technical analysis identified multiple defense-evasion techniques, including ConfuserEx obfuscation, spoofed assembly metadata, hidden execution behavior, and reflection-based DLL loading. These mechanisms indicate a deliberate attempt to complicate reverse engineering, bypass static detection, and delay security analysis. The malware further demonstrates RAT-like functionality, including persistence mechanisms, host reconnaissance, remote execution capability, and encrypted Command-and-Control (C2) communication.
The identified C2 infrastructure (103[.]231[.]12[.]27:4444) and associated domain infrastructure show Hong Kong-based geolocation characteristics, indicating possible regional infrastructure overlap. However, such infrastructure usage alone does not establish attribution, as threat actors commonly rely on third-party hosting providers, rented infrastructure, or compromised systems to conceal their operational origin.
From a broader threat landscape perspective, this activity reflects the increasing adoption of commodity RATs and customized malware variants distributed through highly targeted social engineering campaigns. The combination of trusted-brand impersonation, malware obfuscation, encrypted communication, and persistence capabilities increases the likelihood of successful compromise and prolonged unauthorized access.
Organizations should maintain heightened monitoring of tax-related phishing activity, strengthen controls around externally sourced archives and executable files, and improve detection coverage for suspicious loader behavior, DLL execution chains, unusual registry modifications, and outbound communication to newly observed infrastructure.
| Tactic | ID | Technique Name | Compacted Description |
| Initial Access | T1566.002 | Phishing: Spear phishing Link | Fraudulent Income Tax website → malicious archive download |
| Initial Access | T1189 | Drive-by Compromise | ZIP archive with malware delivered via fake portal |
| Execution | T1204.002 | User Execution: Malicious File | User downloads/executes Tax_Assessment.exe |
| Execution | T1218 | System Binary Proxy Execution | Mounted disk image (Tax_Assessment.img) stages execution |
| Execution | T1059 | Command and Scripting Interpreter | Reflection-based .NET dynamic execution |
| Execution | T1620 | Reflective Code Loading | Assembly.LoadFrom() loads libsvcs.dll |
| Stealth | T1027 | Obfuscated/Compressed Files | ConfuserEx obfuscation on EXE/DLL |
| Stealth | T1036 | Masquerading | Deceptive filenames/metadata impersonating tax docs |
| Stealth | T1036.005 | Match Legitimate Resource Name or Location | DLL metadata: "Runtime Service Host", "Microsoft Corporation" |
| Stealth | T1140 | Deobfuscate/Decode Files | Runtime decoding of protected assemblies |
| Stealth | T1564.003 | Hide Artifacts: Hidden Window | Console window hidden during execution |
| Stealth | T1112 | Modify Registry | Registry mods for execution/persistence |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder | SetAutoRun, AddToStartupAdmin/NonAdmin |
| Persistence | T1053.005 | Scheduled Task | Scheduled-task persistence functionality |
| Discovery | T1082 | System Information Discovery | GetWindowsVersion() collects OS/host details |
| Discovery | T1518.001 | Security Software Discovery | GetSecurityInfo() enumerates security products |
| Discovery | T1033 | System Owner/User Discovery | User info collection during reconnaissance |
| Discovery | T1497.001 | Virtualization/Sandbox Evasion | Anti-analysis checks before execution |
| Command & Control | T1071.001 | Application Layer Protocol: Web Protocols | C2 via application-layer web communications |
| Command & Control | T1573 | Encrypted Channel | 32-byte embedded encryption key for C2 |
| Command & Control | T1105 | Ingress Tool Transfer | Dynamic payload loading/execution |
| Command & Control | T1219 | Remote Access Software | RAT functionality for remote access/command execution |
The analysis identifies a malware campaign leveraging a fake Income Tax Department-themed lure to distribute a RAT-like payload through a staged infection chain involving a malicious ZIP archive, disk image, loader (Tax_Assessment.exe), and DLL payload (libsvcs.dll).
The malware employs multiple evasion techniques, including ConfuserEx obfuscation, spoofed metadata, hidden execution, registry modification, and reflection-based DLL loading to hinder detection and analysis. The payload demonstrates RAT capabilities such as persistence, system discovery, remote execution, and encrypted C2 communication.
The presence of hardcoded C2 infrastructure (103[.]231[.]12[.]27:4444) and RAT-like functionality suggests the use of a commodity RAT or customized variant similar to XWorm RAT. Although Hong Kong-based infrastructure was identified, available evidence is insufficient for definitive threat actor attribution.
Organizations should strengthen phishing awareness, restrict suspicious file execution, monitor abnormal network activity, and apply endpoint detection controls to mitigate similar threats.
1. Email and Web Security Controls
2. File Execution Restrictions
3. Malware Detection and Endpoint Protection
4. Network Monitoring and C2 Detection
5. Persistence Monitoring
6. User Awareness
7. Threat Hunting Activities
8. Incident Response Readiness
9. Application Control
10. Continuous Threat Intelligence Monitoring
Kindly refer to the IOCs section, applying relevant security controls.
| S. No | Indicator | Remarks |
| 1 | 372d7d8ca222e03afa5970848cf88efa6a3bc5146d20398601285fc7eaea6735 | Block |
| 2 | f5dc1016679f54f2be22da0ff6642046f7a943410c188514b96c28d8a3b95e12 | Block |
| 3 | 4b5405d9acd00dd9225ffcec840a1752951be801d20ee1cab4ebde9ccd96916a | Monitor |
| 4 | 3fe29bf7e2c391d5405f8c6947cc42a6ec356fcf8455ce705dc23a156f5b450a | Block |
| 5 | harivo[.]vip | Monitor |
| 6 | 103.231.12[.]27 | Monitor |
rule Tax_Assessment_Malware_Campaign_IOC
{
meta:
description = “Detection rule for Tax Assessment themed malware campaign based on observed IOCs”
author = “CYFIRMA”
date = “2026-06-19”
strings:
// SHA-256 hashes
$hash1 = “372d7d8ca222e03afa5970848cf88efa6a3bc5146d20398601285fc7eaea6735”
$hash2 = “f5dc1016679f54f2be22da0ff6642046f7a943410c188514b96c28d8a3b95e12”
$hash3 = “4b5405d9acd00dd9225ffcec840a1752951be801d20ee1cab4ebde9ccd96916a”
$hash4 = “3fe29bf7e2c391d5405f8c6947cc42a6ec356fcf8455ce705dc23a156f5b450a”
// Domain IOC
$domain = “harivo.vip”
// IP IOC
$ip = “103.231.12.27”
// File Names
$file1 = “Tax_Assessment_0609.zip”
$file2 = “Tax_Assessment.img”
$file3 = “libsvcs.dll”
$file4 = “Tax_Assessment.exe”
// Campaign-specific strings
$str1 = “Download Assessment Order & Workings”
$str2 = “NOTICE OF ASSESSMENT”
$str3 = “Income Tax Department”
$str4 = “Assessment Order for AY 2025-26”
condition:
any of ($hash*) or
$domain or
$ip or
any of ($file*) or
3 of ($str*)
}
