Tax-Themed Phishing Campaign Delivers Overlord RAT via a Malicious VHDX Image

    Date: 07/17/2026

    Severity: High

    Summary

    This campaign highlights the continued evolution of phishing attacks through the use of malicious VHDX images, DLL sideloading, in-memory shellcode execution, and layered anti-analysis techniques to evade traditional detection. The deployment of Overlord RAT also demonstrates how publicly available offensive tools can be adapted for real-world attacks, while codebase similarities should be considered indicators of shared development rather than definitive attribution. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    https://taxassessment.you/

    IP Address 

    89.34.90.99

    Hash 

    636BB34D7471C042A37DD569DE6BB133

    3AB5CF7546B11B07CA58B705DA19016B

    C036FA36BE1E8B10C53941A5A84CC98E

    0935A7DB4D3F16CEEC51B6A5FA97C0AB

    0BA4228ED73F62ACDAE9B19BDF9AD014

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://taxassessment.you/" or url like "https://taxassessment.you/" or siteurl like "https://taxassessment.you/"

    Detection Query 2 :

    dstipaddress IN ("89.34.90.99") or srcipaddress IN ("89.34.90.99")

    Detection Query 3 :

    md5hash IN ("636BB34D7471C042A37DD569DE6BB133","0BA4228ED73F62ACDAE9B19BDF9AD014","C036FA36BE1E8B10C53941A5A84CC98E","0935A7DB4D3F16CEEC51B6A5FA97C0AB","3AB5CF7546B11B07CA58B705DA19016B")

    Reference:    

    https://gurucul.com/blog/tax-themed-phishing-campaign-delivers-overlord-rat-via-a-malicious-vhdx-image/                      


    Tags

    MalwarePhishingRATSocial EngineeringDLLSideLoadingShellcodeGovernment Services and FacilitiesFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags