Hackers Use Tax Phishing Emails to Deploy In-Memory Malware on Windows Systems

Hackers are using fake tax notification emails to trick Windows users into downloading dangerous multi-stage malware that runs entirely in memory, leaving almost no trace behind.

The campaign, tracked as Operation TaxShadow, has been active since at least May 20, 2026, targeting individuals by impersonating official Indian government tax authorities.

The emails are crafted to create panic, warning recipients of financial penalties and demanding action before a deadline.

The attack begins with a convincingly designed email carrying the logos and language of a legitimate Indian tax enforcement body. Victims who click the link land on a fake government website nearly identical to the real one, complete with bilingual English and Hindi text.

From there, users are prompted to download a ZIP file described as an official tax document, which is actually a fully armed malware package ready to compromise their system.

Researchers at Cyfirma identified the campaign and found it extends beyond a single region. The same infrastructure behind the Indian tax phishing pages was also hosting fake Japanese government tax portals.

Cyfirma said in a report shared with Cyber Security News (CSN) that the combination of memory-resident malware, advanced evasion, and reused infrastructure signals a mature and well-resourced threat operation.

What makes this campaign especially dangerous is not just the social engineering but what happens after the malware lands. The payload runs almost entirely in memory, writing nothing to disk, which defeats most standard antivirus tools.

The malware also maintains a persistent connection to attacker-controlled servers through traffic that blends with normal web activity.

The phishing emails passed authentication checks including SPF, DKIM, and DMARC because they were sent through a legitimate third-party email delivery service. This allowed them to bypass spam filters and reach inboxes without raising obvious red flags.

Hackers Use Tax Phishing Emails

The malicious ZIP archive contains three files working in sequence: a launcher, a loader library called SbieDll.dll, and an encrypted payload named SbieDll.bin.

The launcher prepares the environment, checks the Windows version, and installs hooks into core system functions before handing control to the loader. Each file has a dedicated role, separating functionality and limiting exposure of the final payload.

The loader, SbieDll.dll, exploits a method called DLL Search Order Hijacking. Windows checks an application’s own folder before system folders when loading libraries, so placing the malicious DLL in the right location forces Windows to load it instead of the real one.

The loader then manipulates access tokens and removes permission barriers to prepare the environment for the final stage.

The final component, SbieDll.bin, carries the core payload encrypted with a modified RC4 cipher. Once decrypted at runtime, it loads directly into memory through Reflective PE Loading, meaning no file ever touches the disk. This is why conventional security products struggle to detect this threat.

WebSocket C2 Communication and Defense Evasion

Once active, the malware connects to its command-and-control server through WebSocket connections, a method normally used by legitimate web applications.

The session starts as a standard HTTP request and upgrades to a persistent channel, making traffic appear completely normal to network monitors.

The malware also supports HTTP CONNECT, routing communications through corporate proxies to bypass enterprise network controls.

To resist analysis, the malware uses a Mersenne Twister-based engine that alters execution behavior across infections, making signature detection unreliable.

It applies Control Flow Flattening to scramble code structure and resolves Windows API calls at runtime through hashing, hiding its intent from static analysis.

Cyfirma found Chinese-language strings in the phishing page source code, including a phrase meaning “Official Tax Notice,” though researchers note this alone cannot confirm the attackers’ origin.

Cyfirma recommends ongoing security awareness training on phishing and government impersonation tactics.

Technical teams should deploy YARA and Sigma rules for DLL hijacking, reflective loading, and WebSocket C2 patterns, while enabling continuous memory monitoring to catch threats that bypass traditional defenses.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.