Date: 06/24/2026
Severity: High
Summary
Social engineering–driven malware campaign that impersonates the Indian Income Tax Department to lure victims into downloading a malicious archive from a fraudulent website. The infection chain delivers a RAT-like payload through a disk image containing Tax_Assessment.exe and libsvcs.dll, using ConfuserEx obfuscation, reflection-based DLL loading, and defense-evasion techniques to avoid detection. Once executed, the malware establishes persistence, performs system reconnaissance, enables remote command execution, and communicates with a hardcoded C2 server (103[.]231[.]12[.]27:4444) using encrypted communications. The campaign demonstrates the continued abuse of trusted government themes for phishing, malware delivery, and unauthorized remote access.
Indicators of Compromise (IOC) List
Domains/URLs: | harivo.vip |
IP Address: | 103.231.12.27 |
Hash: | 372d7d8ca222e03afa5970848cf88efa6a3bc5146d20398601285fc7eaea6735
f5dc1016679f54f2be22da0ff6642046f7a943410c188514b96c28d8a3b95e12
4b5405d9acd00dd9225ffcec840a1752951be801d20ee1cab4ebde9ccd96916a
3fe29bf7e2c391d5405f8c6947cc42a6ec356fcf8455ce705dc23a156f5b450a
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "harivo.vip" or url like "harivo.vip" or siteurl like "harivo.vip" |
Detection Query 2 : | dstipaddress IN ("103.231.12.27") or srcipaddress IN ("103.231.12.27") |
Detection Query 3 : | sha256hash IN ("f5dc1016679f54f2be22da0ff6642046f7a943410c188514b96c28d8a3b95e12","4b5405d9acd00dd9225ffcec840a1752951be801d20ee1cab4ebde9ccd96916a","372d7d8ca222e03afa5970848cf88efa6a3bc5146d20398601285fc7eaea6735","3fe29bf7e2c391d5405f8c6947cc42a6ec356fcf8455ce705dc23a156f5b450a")
|
Reference:
https://www.cyfirma.com/research/an-income-tax-assessment-notice-phishing-campaign-delivering-malware/