Date: 07/17/2026
Severity: High
Summary
This campaign highlights the continued evolution of phishing attacks through the use of malicious VHDX images, DLL sideloading, in-memory shellcode execution, and layered anti-analysis techniques to evade traditional detection. The deployment of Overlord RAT also demonstrates how publicly available offensive tools can be adapted for real-world attacks, while codebase similarities should be considered indicators of shared development rather than definitive attribution.
Indicators of Compromise (IOC) List
Domains/URLs | https://taxassessment.you/ |
IP Address | 89.34.90.99 |
Hash | 636BB34D7471C042A37DD569DE6BB133
3AB5CF7546B11B07CA58B705DA19016B
C036FA36BE1E8B10C53941A5A84CC98E
0935A7DB4D3F16CEEC51B6A5FA97C0AB
0BA4228ED73F62ACDAE9B19BDF9AD014
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://taxassessment.you/" or url like "https://taxassessment.you/" or siteurl like "https://taxassessment.you/" |
Detection Query 2 : | dstipaddress IN ("89.34.90.99") or srcipaddress IN ("89.34.90.99") |
Detection Query 3 : | md5hash IN ("636BB34D7471C042A37DD569DE6BB133","0BA4228ED73F62ACDAE9B19BDF9AD014","C036FA36BE1E8B10C53941A5A84CC98E","0935A7DB4D3F16CEEC51B6A5FA97C0AB","3AB5CF7546B11B07CA58B705DA19016B")
|
Reference:
https://gurucul.com/blog/tax-themed-phishing-campaign-delivers-overlord-rat-via-a-malicious-vhdx-image/