A sophisticated and actively running malware campaign dubbed Operation TaxShadow has been targeting Windows users with fake government tax notification emails, luring victims into downloading fileless malware that runs entirely in memory and leaves almost no trace on disk. The campaign, active since at least May 20, 2026, was uncovered by researchers at Cyfirma and represents a significant evolution in phishing-based malware delivery.
The Phishing Lure: Government Tax Impersonation
Operation TaxShadow opens with a convincingly designed phishing email impersonating official Indian government tax authorities. The emails are crafted to induce panic, warning recipients of imminent financial penalties and demanding action before a hard deadline. They pass standard email authentication checks — SPF, DKIM, and DMARC — because the attackers sent them through a legitimate third-party email delivery service, allowing the messages to bypass spam filters and reach inboxes undetected.
Victims who click the link in the email land on a fake government website that is nearly pixel-perfect in its resemblance to the real one, complete with official logos, bilingual English and Hindi text, and government-style formatting. From there, users are prompted to download a ZIP archive described as an official tax document — in reality, a fully armed multi-stage malware package.
Cyfirma researchers also found that the same infrastructure hosted fake Japanese government tax portals, confirming this is a multi-region operation targeting victims in at least two countries.
Three-Stage Malware Architecture
The malicious ZIP archive contains three files, each with a specific role in a carefully designed attack chain:
- The Launcher (कर विवरण.exe): An initial executable that prepares the environment, checks the Windows version, and installs hooks into core system functions before handing off execution
- SbieDll.dll: A polymorphic loader that exploits DLL Search Order Hijacking — Windows checks an application’s own folder before system folders when loading libraries, so the malicious DLL forces Windows to load it instead of the legitimate one
- SbieDll.bin: An encrypted payload file carrying the final-stage malware, encrypted with a modified RC4 cipher
The loader manipulates Windows access tokens and removes permission barriers before decrypting SbieDll.bin at runtime and injecting it directly into memory via Reflective PE Loading. This means the final payload never touches the disk — it lives entirely in RAM, which is why conventional antivirus solutions that rely on file scanning have difficulty detecting this threat.
Advanced Evasion and C2 Communication
What distinguishes Operation TaxShadow from typical phishing campaigns is the sophistication of its evasion techniques. The malware employs multiple layers of anti-detection:
- Mersenne Twister-based polymorphic engine: Alters execution behavior across different infections, making signature-based detection unreliable
- Control Flow Flattening: Scrambles the code structure, obfuscating the malware’s intent from reverse engineers and static analysis tools
- Runtime API resolution via hashing: Windows API calls are resolved at runtime using hash values rather than explicit function names, hiding the malware’s capabilities from static inspection
For command-and-control (C2) communications, the malware uses WebSocket connections — the same protocol used by legitimate web applications. The session begins as a standard HTTP request before upgrading to a persistent channel, making the traffic appear completely normal to network monitors. It also supports HTTP CONNECT, routing communications through corporate proxies to bypass enterprise network controls. The identified C2 server operated at 43[.]128[.]54[.]184 on port 1234.
Who Is Behind This Campaign?
Cyfirma identified Chinese-language strings embedded in the phishing page source code, including a phrase meaning “Official Tax Notice.” However, researchers caution that this evidence alone is insufficient to attribute the attack definitively to any nation-state or group. The use of Chinese language strings could be deliberate misdirection, or it could indicate a threat actor operating out of a Chinese-speaking region. Attribution remains uncertain.
What is clear is that the combination of memory-resident malware, multi-region targeting, advanced evasion techniques, and reused infrastructure signals a mature, well-resourced threat operation — not a commodity attack by low-skill criminals.
Detection and Defense Recommendations
Organizations can defend against Operation TaxShadow through a combination of technical controls and user awareness:
- Deploy YARA and Sigma rules targeting DLL hijacking, reflective PE loading, and WebSocket C2 communication patterns
- Enable continuous memory monitoring tools capable of detecting in-memory threats that bypass file-based detection
- Implement email security controls that go beyond SPF/DKIM/DMARC to include behavioral and content analysis
- Block the known indicators of compromise (domains including guhxmg.com, naiqja.icu, zhengfu666.com, and C2 address 43[.]128[.]54[.]184) in your security tooling
- Conduct regular security awareness training focused on government impersonation tactics and the danger of downloading files from emails
Operation TaxShadow is a reminder that fileless attacks are no longer a theoretical concern — they are active, sophisticated, and increasingly the tool of choice for threat actors who want to evade detection while maintaining persistent access to victim systems.