Listen to this Post
Introduction
A sophisticated phishing campaign currently targeting Indian taxpayers and organizations leverages a counterfeit Income Tax Department assessment notice to deliver a multi-stage Remote Access Trojan (RAT) payload. The attackers have registered the fraudulent domain harivo[.]vip, hosted on Hong Kong-based infrastructure, to host a fake tax assessment portal that closely mimics official government communications. By exploiting the anxiety surrounding tax compliance season and combining realistic government branding with technical evasion techniques, this campaign presents a serious threat to both individuals and enterprise environments.
Learning Objectives
- Understand the complete attack chain from phishing lure to RAT deployment, including the role of disk image files and DLL side-loading
- Master technical indicators of compromise (IOCs) including file hashes, C2 infrastructure, and obfuscation techniques used by the threat actor
- Learn practical detection, mitigation, and response strategies to defend Windows environments against this and similar tax-themed phishing campaigns
You Should Know
- Anatomy of the Attack Chain: From Tax Notice to Full Remote Access
The campaign begins with a social engineering lure—a phishing email or direct web page impersonating the Indian Income Tax Department. Victims are directed to the fraudulent portal at harivo[.]vip, which presents a fabricated assessment order filled with tax terminology, legal references, and financial penalties designed to create urgency. A prominently displayed button labeled “Download Assessment Order & Workings” initiates the download of a malicious ZIP archive, typically named Tax_Assessment_0609.zip.
Once extracted, the ZIP archive unpacks a disk image file named Tax_Assessment.img. Disk image files (.img) are particularly dangerous because Windows treats them as mountable volumes; when opened, they appear as a new drive letter in File Explorer, making the malicious contents seem innocuous. Within this image reside two core malicious components:
- Tax_Assessment.exe – A PE loader responsible for initiating execution
- libsvcs.dll – The malicious DLL payload containing full RAT capabilities
The executable functions as a loader that uses .NET reflection to dynamically load and execute the DLL without holding the core malicious code itself. This technique allows the malware to bypass static analysis and evade signature-based detection.
Technical Deep Dive: What Happens When Tax_Assessment.img Is Mounted
When a user double-clicks the .img file, Windows automatically mounts it as a virtual drive. The mounted volume contains the two malicious files. Here is what happens next:
Step 1: The user (or an autorun trigger) executes Tax_Assessment.exe
Step 2: The loader performs the following actions:
- Hides its console window to avoid detection
- Modifies Windows registry settings for persistence
- Uses spoofed metadata to blend in with legitimate Windows components
Step 3: Through .NET reflection, the loader invokes methods within libsvcs.dll, transferring execution control to the RAT payload
Step 4: The DLL payload, disguised as “Runtime Service Host” by Microsoft Corporation, establishes persistence mechanisms including:
– Startup registration
– Scheduled task creation
– System information collection
– User activity monitoring
Step 5: The malware establishes encrypted Command-and-Control (C2) communication with a hardcoded server at 103.231.12.27 over port 4444
All C2 traffic is encrypted using a 32-byte key embedded in the malicious DLL, making interception extremely difficult without prior knowledge of the key.
Indicators of Compromise (IOCs)
| Type | Indicator |
||–|
| Domain | harivo[.]vip |
| C2 IP | 103.231.12.27 |
| C2 Port | 4444 |
| File Names | Tax_Assessment_0609.zip, Tax_Assessment.img, Tax_Assessment.exe, libsvcs.dll |
| Obfuscation | ConfuserEx |
| RAT Family | XWorm-like capabilities |
Windows Commands for IOC Hunting
Check for suspicious scheduled tasks
Get-ScheduledTask | Where-Object {$<em>.TaskName -like "tax" -or $</em>.TaskName -like "assessment"}
Search for recently created .img files in Downloads
Get-ChildItem -Path "$env:USERPROFILE\Downloads" -Filter ".img" | Sort-Object LastWriteTime -Descending
Check for outbound connections to known C2
netstat -ano | findstr "103.231.12.27"
Search registry for persistence mechanisms
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Recurse
Get-ChildItem -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Recurse
Find ConfuserEx-obfuscated .NET assemblies (indicator of evasion)
Get-ChildItem -Path C:\ -Filter ".exe" -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
$bytes = [System.IO.File]::ReadAllBytes($<em>.FullName)
if ($bytes -match "ConfuserEx") { Write-Host $</em>.FullName }
} catch {}
}
2. Defense Evasion and Obfuscation Techniques
The threat actors have invested significant effort in making the malware difficult to detect and analyze. Both Tax_Assessment.exe and libsvcs.dll are protected using ConfuserEx, an open-source .NET obfuscation tool that scrambles code to hinder static analysis and evade traditional security detection mechanisms.
Beyond obfuscation, the malware employs multiple defense-evasion techniques:
- Console window hiding: Prevents visible command prompts from alerting the user
- Registry modifications: Alters system settings to maintain stealth
- Spoofed assembly metadata: Makes the DLL appear as a legitimate Microsoft component
- Misleading file information: Disguises malicious files as official documentation
The DLL payload’s behavior closely matches the XWorm RAT family, a commodity tool popular among financially motivated actors. This flexibility makes the malware well-suited for long-term unauthorized access to compromised machines.
Linux Commands for Network Analysis (for security analysts)
While the malware targets Windows, security analysts often use Linux-based analysis environments. Here are useful commands:
DNS lookup for malicious domain dig harivo.vip WHOIS information whois harivo.vip Check if IP is in known threat feeds curl -s https://api.abuseipdb.com/api/v2/check?ipAddress=103.231.12.27 Extract strings from suspicious files (when analyzing samples) strings Tax_Assessment.exe | grep -i "http|https|.com|.vip|socket|encrypt" Monitor network connections on a compromised Windows host from Linux (using Zeek/Bro) Assuming pcap capture: zeek -r capture.pcap | grep "103.231.12.27"
- The Role of DLL Side-Loading and .NET Reflection
The attack chain leverages two sophisticated techniques that make detection particularly challenging: DLL side-loading and .NET reflection.
DLL Side-Loading is a technique where a legitimate executable loads a malicious DLL by placing it in the same directory and exploiting the Windows DLL search order. In this campaign, Tax_Assessment.exe (the loader) is designed to load libsvcs.dll from its current directory. The DLL masquerades as “Runtime Service Host” with metadata spoofed to appear as if signed by Microsoft Corporation.
.NET Reflection is the mechanism used to actually execute the malicious code. Instead of the loader directly calling functions from the DLL (which would be easier to detect), it uses .NET’s reflection APIs to:
1. Load the DLL into memory without traditional library loading
2. Discover methods and classes within the DLL at runtime
3. Invoke malicious methods dynamically
This approach means the core malicious code never appears in the loader’s import table, evading static analysis tools that scan for suspicious API calls.
PowerShell Commands for Detecting Reflection-Based Attacks
Monitor for .NET reflection usage (requires elevated privileges)
Enable .NET ETW events
logman create trace ".NET_Reflection_Trace" -p "Microsoft-Windows-DotNETRuntime" 0x10 0x4 -o "C:\Logs\net_trace.etl" -ets
Check for assemblies loaded from unusual locations
[System.AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {
if ($<em>.Location -like "Downloads" -or $</em>.Location -like "Temp") {
Write-Host "Suspicious assembly loaded: $($_.Location)"
}
}
Search for ConfuserEx strings in memory (forensic)
Get-Process | ForEach-Object {
try {
$mem = [System.Diagnostics.Process]::GetProcessById($<em>.Id)
$mem.Modules | ForEach-Object {
if ($</em>.FileName -match "ConfuserEx") {
Write-Host "Potential obfuscated module in process $($mem.ProcessName)"
}
}
} catch {}
}
4. C2 Infrastructure and Encrypted Communication
The malware communicates with a hardcoded C2 server at 103.231.12.27 over port 4444. The infrastructure is geolocated in Hong Kong, and the fraudulent domain harivo[.]vip was registered in September 2025 and tied to the same Hong Kong-based infrastructure.
All network traffic between the compromised host and the C2 server is encrypted using a 32-byte key embedded in the malicious DLL. This encryption makes network-based detection extremely difficult without prior knowledge of the key or behavioral analysis of the traffic patterns.
Network Security Measures
For Windows administrators using Windows Firewall:
Block outbound connections to known C2 IP New-1etFirewallRule -DisplayName "Block C2 IP 103.231.12.27" ` -Direction Outbound ` -Action Block ` -RemoteAddress "103.231.12.27" ` -Protocol Any Block port 4444 outbound (if not used legitimately) New-1etFirewallRule -DisplayName "Block Port 4444 Outbound" ` -Direction Outbound ` -Action Block ` -RemotePort 4444 ` -Protocol TCP Log blocked connections for monitoring Set-1etFirewallProfile -All -LogBlocked True -LogFileName "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"
For network administrators (Cisco IOS-style ACL):
! Block access to known malicious IP access-list 100 deny ip any host 103.231.12.27 access-list 100 permit ip any any ! Apply to outbound interface interface GigabitEthernet0/0 ip access-group 100 out
5. Detection Strategies for Security Teams
Given the sophistication of this campaign, security teams should implement a multi-layered detection approach:
Endpoint Detection and Response (EDR) Rules
Monitor for the following behavioral patterns:
- Mounting of .img files from user download folders – Legitimate .img files are rarely downloaded by end users
- Execution of .NET assemblies from Temp or Downloads folders – This is a common malware technique
- Outbound connections to port 4444 on IP addresses in Hong Kong – Unusual for legitimate business traffic
- Registry modifications creating startup entries for unknown executables
5. Scheduled task creation with tax-related names
Windows Event Log Monitoring
Query Security logs for process creation (Event ID 4688)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} |
Where-Object {$<em>.Properties[bash].Value -like "Downloads" -or $</em>.Properties[bash].Value -like "Temp"} |
Select-Object TimeCreated, @{N='Process';E={$_.Properties[bash].Value}} |
Sort-Object TimeCreated -Descending
Query System logs for service installation (Event ID 7045)
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} |
Where-Object {$<em>.Properties[bash].Value -like "tax" -or $</em>.Properties[bash].Value -like "assessment"} |
Select-Object TimeCreated, @{N='ServiceName';E={$<em>.Properties[bash].Value}},
@{N='ImagePath';E={$</em>.Properties[bash].Value}}
Check PowerShell operational logs for suspicious activity
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object {$<em>.Message -match "Reflection" -or $</em>.Message -match "Assembly.Load"} |
Select-Object TimeCreated, Message
YARA Rule for Detection
rule Tax_Assessment_RAT {
meta:
description = "Detects Tax_Assessment.img malware components"
author = "Security Research"
date = "2026-06-24"
reference = "CYFIRMA Research"
strings:
$s1 = "Tax_Assessment.exe" wide ascii
$s2 = "libsvcs.dll" wide ascii
$s3 = "Runtime Service Host" wide ascii
$s4 = "ConfuserEx" wide ascii
$s5 = "103.231.12.27" ascii
$s6 = "YTSysConfig" ascii
$hash1 = {4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00}
condition:
(uint16(0) == 0x5A4D) and (1 of ($s)) or $hash1
}
6. Incident Response and Mitigation
If RAT activity is suspected, security teams should follow this response流程:
Immediate Actions:
- Isolate the compromised system from the network to prevent further C2 communication and lateral movement
- Preserve forensic evidence – Capture memory dumps, collect logs, and image the hard drive
- Identify the initial infection vector – Trace the phishing email or website that led to the download
- Remove persistence mechanisms – Delete scheduled tasks, startup entries, and registry keys associated with the malware
Step-by-Step Remediation:
1. Terminate malicious processes Stop-Process -1ame "Tax_Assessment" -Force -ErrorAction SilentlyContinue <ol> <li>Delete malicious files Remove-Item -Path "$env:USERPROFILE\Downloads\Tax_Assessment.zip" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:USERPROFILE\Downloads\Tax_Assessment.img" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMP\Tax_Assessment" -Force -Recurse -ErrorAction SilentlyContinue</p></li> <li><p>Remove persistence entries Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -1ame "RuntimeServiceHost" -ErrorAction SilentlyContinue Remove-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -1ame "RuntimeServiceHost" -ErrorAction SilentlyContinue</p></li> <li><p>Delete scheduled tasks Unregister-ScheduledTask -TaskName "Tax" -Confirm:$false -ErrorAction SilentlyContinue Unregister-ScheduledTask -TaskName "Assessment" -Confirm:$false -ErrorAction SilentlyContinue</p></li> <li><p>Flush DNS cache to remove any malicious domain resolutions ipconfig /flushdns</p></li> <li><p>Reset network stack netsh int ip reset netsh winsock reset
Long-Term Measures:
- Employee education – Train staff to verify tax-related communications through official channels and recognize false urgency
- Email filtering – Implement advanced spam filters that detect tax-themed phishing attempts
- Application whitelisting – Restrict execution of .img files and unknown executables from user directories
- Network segmentation – Limit lateral movement capabilities for compromised workstations
- Regular security awareness training – Especially during tax season when such campaigns peak
What Undercode Say
-
Key Takeaway 1: The use of disk image files (.img) as an infection vector represents a growing trend in malware distribution. Windows’ automatic mounting behavior makes these files particularly dangerous because users rarely suspect that a mounted drive could contain malware. Security teams must educate users about this risk and implement policies to block or monitor .img file execution.
-
Key Takeaway 2: The combination of .NET reflection, DLL side-loading, and ConfuserEx obfuscation demonstrates that threat actors are increasingly adopting techniques that bypass traditional signature-based detection. Organizations must shift toward behavioral detection and invest in EDR solutions capable of identifying suspicious patterns like reflection-based loading and unusual process relationships.
Analysis: This campaign is particularly concerning because it exploits the trust that citizens place in government institutions during tax season. The attackers have invested significant effort in creating a convincing replica of the Income Tax Department’s communication style, complete with legal references and compliance instructions. This level of sophistication suggests the threat actor is well-funded and potentially state-affiliated or part of a organized cybercriminal group. The use of Hong Kong-based infrastructure and the registration of the domain in September 2025 indicates advance planning and preparation.
The malware’s RAT capabilities—including surveillance, data theft, and additional payload delivery—pose risks beyond initial compromise. Once installed, the attacker can monitor user activity, steal sensitive financial information, and use the compromised system as a pivot point for further network intrusion. Organizations in India, particularly those handling sensitive financial data, should treat this campaign as a high-priority threat.
Furthermore, the campaign’s success highlights a broader issue: the effectiveness of government-themed phishing attacks. Similar campaigns have been observed targeting other countries, suggesting that this is not an isolated incident but part of a global trend. Security researchers have identified related campaigns using the same tax lure theme with different delivery mechanisms, including VBScript downloaders and PHP-1amed VBS endpoints.
The financial motivation behind this campaign is evident from the choice of targeting taxpayers and organizations during tax season. However, the sophistication of the techniques used suggests the actors may have connections to more advanced threat groups. Attribution remains challenging, but the tooling and infrastructure point toward financially motivated actors with significant resources.
Prediction
- +1 This campaign will likely accelerate the adoption of behavioral-based security solutions in Indian organizations, particularly in the financial sector. The visibility generated by this attack will drive investment in EDR and next-generation antivirus solutions.
-
-1 The success of this campaign will encourage threat actors to replicate this template in other countries during their respective tax seasons, leading to a global wave of government-themed phishing attacks using similar techniques.
-
-1 We will likely see the emergence of new variants using different file formats (ISO, VHD, VHDX) to achieve the same goal, as defenders begin to monitor .img files more aggressively. Attackers will adapt by changing the file extension while maintaining the same attack chain.
-
+1 Increased awareness of this campaign will lead to better collaboration between government agencies and private sector security teams in India, resulting in faster takedown of fraudulent domains and improved threat intelligence sharing.
-
-1 Smaller organizations and individual taxpayers without enterprise-grade security solutions remain highly vulnerable to this threat. The attackers will likely continue to target these less-protected victims, leading to a significant number of unreported compromises.
▶️ Related Video (72% Match):
https://www.youtube.com/watch?v=6KBCbAGMAN4
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Varshu25 Income – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
