Operation TaxShadow: Multi-Region Tax Phishing & In-Memory Malware Campaign
Operation TaxShadow is a sophisticated multi-stage malware campaign that uses tax-themed phishing emails impersonating Indian and Japanese government authorities to deliver malware. The campaign employs advanced evasion techniques such as DLL Search Order Hijacking, API hooking, token manipulation, and reflective PE loading, with execution primarily in memory to reduce forensic traces. It establishes persistent command-and-control communication via WebSocket over HTTP, blending malicious traffic with legitimate activity. Chinese-language artifacts are present in the infrastructure and code, though attribution is uncertain. The campaign targets victims in India, Japan, and the British Indian Ocean Territory. No known exploits in the wild or official patches are reported.
AI Analysis
Technical Summary
This campaign uses social engineering through fraudulent tax notifications and trusted third-party email delivery to distribute ZIP archives containing three staged payloads. The malware employs multiple advanced techniques including DLL Search Order Hijacking, API hooking, token manipulation, Mersenne Twister-based execution logic, COM callback execution, mutated RC4 encryption, and reflective PE loading. Execution occurs mainly in memory, minimizing forensic artifacts. Persistent WebSocket-based C2 communication is established via HTTP protocol upgrades, allowing malicious traffic to blend with legitimate network activity. The campaign is multi-regional, targeting India, Japan, and the British Indian Ocean Territory, with Chinese-language artifacts observed in the code and infrastructure. There is no CVE or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The campaign can lead to successful infection of targeted victims through phishing, enabling attackers to execute malware with advanced evasion and persistence techniques. In-memory execution and reflective loading reduce detection and forensic analysis opportunities. Persistent WebSocket-based C2 communication allows attackers to maintain stealthy control over infected systems. The impact includes potential data compromise and unauthorized access, particularly affecting entities in India, Japan, and the British Indian Ocean Territory.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should be aware of the phishing tactics used and educate users to recognize fraudulent tax-themed emails impersonating government authorities. Monitoring for indicators of compromise such as the listed hashes and domains can aid detection. Network defenses should consider monitoring WebSocket traffic for anomalous patterns. Since execution occurs primarily in memory, endpoint detection solutions with memory analysis capabilities may improve detection. No official fix or patch is currently available.
Affected Countries
British Indian Ocean Territory, India, Japan
Indicators of Compromise
- hash: 3a8f6454927b8993aded75de0de2bd00
- hash: b498256cb086a6962077cdd6d2f65327
- hash: e83ff54e58f0b295a392c7fc39a7d0de
- hash: 4650f7dc1a2ddbb6d73bf5bfd1b69dd6b79e0cdd
- hash: 185b7a487316454da04e9cc0fe6eb370bb2955cf6096fe3e8c02c46f8989ba37
- hash: 4c9061a07d667bf7dd6f597a43a8552af2f4277b7be06d6ea138abdb668d6a49
- hash: 7d87a86dbd2379ef2516c99258137cd9c25ca19c48aeb096c5332c02fcbf16d0
- hash: 949acbe543fc244ffbc981ea169067da7c5792af3c3d19b2c31b3d7e19106880
- hash: be31a63cad112723178289968ad6f93a576c5a7984099c42eec3521cdf6e5fc0
- hash: 87d4c8d022a298cefcb113040e69934d5be6a91c
- domain: appradarr.cc
- domain: asdqxcdsa.icu
- domain: guhxmg.com
- domain: mnb-ny.com
- domain: naiqja.icu
- domain: ws4962.com
- domain: zh-welcome-1xbet.com
- domain: zhengfu666.com
- domain: d.pc-weide.com
- domain: taxations.cn-web-okooo.com
Operation TaxShadow: Multi-Region Tax Phishing & In-Memory Malware Campaign
Description
Operation TaxShadow is a sophisticated multi-stage malware campaign that uses tax-themed phishing emails impersonating Indian and Japanese government authorities to deliver malware. The campaign employs advanced evasion techniques such as DLL Search Order Hijacking, API hooking, token manipulation, and reflective PE loading, with execution primarily in memory to reduce forensic traces. It establishes persistent command-and-control communication via WebSocket over HTTP, blending malicious traffic with legitimate activity. Chinese-language artifacts are present in the infrastructure and code, though attribution is uncertain. The campaign targets victims in India, Japan, and the British Indian Ocean Territory. No known exploits in the wild or official patches are reported.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign uses social engineering through fraudulent tax notifications and trusted third-party email delivery to distribute ZIP archives containing three staged payloads. The malware employs multiple advanced techniques including DLL Search Order Hijacking, API hooking, token manipulation, Mersenne Twister-based execution logic, COM callback execution, mutated RC4 encryption, and reflective PE loading. Execution occurs mainly in memory, minimizing forensic artifacts. Persistent WebSocket-based C2 communication is established via HTTP protocol upgrades, allowing malicious traffic to blend with legitimate network activity. The campaign is multi-regional, targeting India, Japan, and the British Indian Ocean Territory, with Chinese-language artifacts observed in the code and infrastructure. There is no CVE or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The campaign can lead to successful infection of targeted victims through phishing, enabling attackers to execute malware with advanced evasion and persistence techniques. In-memory execution and reflective loading reduce detection and forensic analysis opportunities. Persistent WebSocket-based C2 communication allows attackers to maintain stealthy control over infected systems. The impact includes potential data compromise and unauthorized access, particularly affecting entities in India, Japan, and the British Indian Ocean Territory.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should be aware of the phishing tactics used and educate users to recognize fraudulent tax-themed emails impersonating government authorities. Monitoring for indicators of compromise such as the listed hashes and domains can aid detection. Network defenses should consider monitoring WebSocket traffic for anomalous patterns. Since execution occurs primarily in memory, endpoint detection solutions with memory analysis capabilities may improve detection. No official fix or patch is currently available.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cyfirma.com/research/operation-taxshadow-multi-region-tax-phishing-in-memory-malware-campaign/"]
- Adversary
- null
- Pulse Id
- 6a2201a401cb916346d57934
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash3a8f6454927b8993aded75de0de2bd00 | — | |
hashb498256cb086a6962077cdd6d2f65327 | — | |
hashe83ff54e58f0b295a392c7fc39a7d0de | — | |
hash4650f7dc1a2ddbb6d73bf5bfd1b69dd6b79e0cdd | — | |
hash185b7a487316454da04e9cc0fe6eb370bb2955cf6096fe3e8c02c46f8989ba37 | — | |
hash4c9061a07d667bf7dd6f597a43a8552af2f4277b7be06d6ea138abdb668d6a49 | — | |
hash7d87a86dbd2379ef2516c99258137cd9c25ca19c48aeb096c5332c02fcbf16d0 | — | |
hash949acbe543fc244ffbc981ea169067da7c5792af3c3d19b2c31b3d7e19106880 | — | |
hashbe31a63cad112723178289968ad6f93a576c5a7984099c42eec3521cdf6e5fc0 | — | |
hash87d4c8d022a298cefcb113040e69934d5be6a91c | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainappradarr.cc | — | |
domainasdqxcdsa.icu | — | |
domainguhxmg.com | — | |
domainmnb-ny.com | — | |
domainnaiqja.icu | — | |
domainws4962.com | — | |
domainzh-welcome-1xbet.com | — | |
domainzhengfu666.com | — | |
domaind.pc-weide.com | — | |
domaintaxations.cn-web-okooo.com | — |
Threat ID: 6a226dc1e29bf47b503d4b22
Added to database: 6/5/2026, 6:33:37 AM
Last enriched: 6/5/2026, 6:48:51 AM
Last updated: 6/5/2026, 1:30:31 PM
Views: 25
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.