A new threat campaign is targeting Windows users in India by disguising malicious files as official income tax documents.
Researchers have tracked the operation under the name TAX#TRIDENT, and it has shown the ability to pivot across multiple delivery methods while keeping the same convincing tax lure intact.
The attack does not rely on any technical vulnerability. It only needs the victim to believe the file is real.
The campaign uses fake Indian Income Tax assessment pages built to push users into downloading what appears to be an official notice.
Once someone lands on the page, they see a download button for what looks like an important government document. Behind that button is a malicious file capable of fully compromising a Windows system.
Tax notices create urgency and can plausibly reach people across finance, legal, HR, or executive roles.
Securonix Threat Research, in a report shared with Cyber Security News (CSN), said TAX#TRIDENT runs three separate infection chains.
All three begin with the same fake tax theme but diverge after that, giving the attacker flexibility to switch routes if one gets blocked. Researchers Shikha Sangwan, Akshay Gaikwad, and Aaron Beardslee led the analysis.
What makes this campaign hard to stop is that it abuses signed, legitimate-looking software rather than obvious malicious files.
Two of the three branches end with a signed remote management client called ClientSetup, giving attackers persistent access to the infected machine.
The third branch silently enrolls the victim device into a real ManageEngine UEMS agent pointed at an attacker-controlled server. Tools relying only on file signatures can miss all three paths.
The campaign continues expanding while keeping earlier delivery routes active. What shifts with each wave is the delivery route, the decoy, and the final payload. That adaptability is what makes TAX#TRIDENT a persistent threat.
How Fake Tax Pages Deliver Malware
The first infection path starts at zyisykm.shop, a fake Indian Income Tax site. Clicking the download button pulls a ZIP archive named Assessment Letter.zip containing a signed Windows executable that installs a full remote management client.
The attacker embeds the server address directly inside the filename, so the installer reads its own name and writes that value into local configuration.
After execution, the installer creates a hidden directory under a Windows system folder and drops a fake svchost.exe alongside driver files named YtMiniFilter and ytdisk.
A second path uses a VBScript file called Assessment_Order.vbs, served across multiple fake tax domains, which silently relaunches, shows a decoy tax image, and installs the same ClientSetup payload in the background.
Despite different domains and server values, both executables share the exact same SHA256 hash, confirming the same core payload across both chains.
Defenders should not rely on domain or filename blocklists alone. Stronger behavioral signals include IP-addressed filenames, hidden directories under system folders, svchost.exe running from non-standard paths, and outbound traffic on ports 6671, 6681, and 6683.
The third chain abandons ClientSetup entirely. A PHP-looking URL at xhxz.info/download.php returns VBScript instead of a web page, staging follow-on files from Amazon S3 buckets.
One file named uacMC.png is not an image but a script that silently lowers UAC settings, removing elevation prompts before the final payload runs.
The chain downloads a full ManageEngine UEMS agent and installs it quietly with no visible interface. A configuration file named DCAgentServerInfo.json points the legitimate agent to an attacker server at 202.61.160.201 on port 8383.
The agent is signed and valid, but its destination is hijacked, turning a trusted enterprise tool into a silent remote access channel.
Securonix recommends avoiding downloads from unsolicited tax or penalty links no matter how official they appear.
Security teams should monitor script engines running files with web-style extensions, alert on svchost.exe executing from unusual directories, and flag UAC policy changes where ConsentPromptBehaviorAdmin is set to zero.
Detection must focus on behavioral signals rather than hashes, since this campaign rotates infrastructure while keeping its core tactics unchanged.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | https://zyisykm.shop/ | Fake Indian Income Tax assessment page (Chain 1 lure) |
| IP Address | 149.104.24.197 | Resolved IP for zyisykm.shop lure page |
| File Name | Assessment Letter.zip | Malicious ZIP archive delivered from lure page |
| File Name | 45.119.55.66ClientSetup.exe | Chain 1 ClientSetup installer; IP embedded in filename |
| SHA256 | 950AD7A33457A1A37A0797316CDD2FBAF9850F7165425274351D08B3C01ED2D8 | Hash shared by both Chain 1 and Chain 2 ClientSetup executables |
| IP Address | 45.119.55.66 | Chain 1 C2 server; contacted on ports 6671, 6681, 6683 |
| File Name | Assessment_Order.vbs | VBScript downloader used in Chain 2 |
| URL | https://gooomld.top/ | Fake tax domain serving Assessment_Order.vbs |
| URL | https://goolmor.cyou/ | Fake tax domain serving Assessment_Order.vbs |
| URL | https://fgsdol.icu/ | Fake tax domain serving Assessment_Order.vbs |
| URL | https://vsdnk.top/ | Fake tax domain serving Assessment_Order.vbs |
| URL | https://gooomoel.shop/ | Fake tax domain serving Assessment_Order.vbs |
| URL | https://tengxxi.com/216.250.104.166ClientSetup.exe | Chain 2 payload download URL |
| File Name | 216.250.104.166ClientSetup.exe | Chain 2 ClientSetup installer; alternate IP in filename |
| IP Address | 216.250.104.166 | Chain 2 C2 server |
| URL | https://xhxz.info/download.php | Chain 3 PHP-named VBScript endpoint |
| URL | https://sjdkjj23.s3.ap-southeast-1.amazonaws.com/uacMC.png | S3-hosted fake PNG/VBScript UAC modifier |
| URL | https://xijkwm2.s3.ap-southeast-1.amazonaws.com/1122.vbs | S3-hosted Chain 3 VBScript stage |
| URL | https://xijkwm2.s3.ap-southeast-1.amazonaws.com/8081.zip | S3-hosted ManageEngine UEMS agent bundle |
| File Name | uacMC.png | VBScript disguised as image; lowers UAC ConsentPromptBehaviorAdmin to 0 |
| File Name | DCAgentServerInfo.json | UEMS agent configuration pointing to attacker server |
| IP Address | 202.61.160.201 | Chain 3 attacker-controlled UEMS enrollment server |
| Network | 202.61.160.201:8383 | UEMS agent HTTPS communication port |
| Network | 202.61.160.201:8027 | UEMS recurring status/heartbeat channel |
| Directory | C:WindowsSysWOW64msres | Hidden client directory created by ClientSetup |
| Directory | C:SystemUpdates | Chain 2 VBScript staging directory |
| Directory | C:UsersPublicDocumentsMSUpdate_* | Chain 3 staging directory created by VBScript |
| File Name | YTSysConfig.ini | ClientSetup runtime configuration file |
| File Name | YTSysConfig.ytf | ClientSetup secondary configuration file |
| Service Name | MANC | Windows service created for ClientSetup persistence |
| Driver Name | YtMiniFilter | Driver installed by ClientSetup for deep system access |
| Driver Name | ytdisk | Driver installed by ClientSetup for file/disk monitoring |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
