Operation TaxShadow: Tax Phishing Hides In-Memory Malware

A Fake Tax Notice Hides a Dangerous Payload

Security researchers at CYFIRMA have uncovered Operation TaxShadow, a multi-stage campaign combining tax phishing with stealthy, memory-resident malware. The operation begins with a fraudulent email impersonating an Indian tax authority. From there, victims are pushed toward a malicious ZIP file containing three components that work together to compromise Windows systems.

How the Lure Works

The phishing email mimics official government communication, complete with bilingual content and urgent compliance language. According to the report, the campaign demonstrates characteristics commonly associated with stealth-focused, modular, and highly sophisticated malware ecosystems. Victims are directed to a fake tax portal that closely resembles a real government site.

This phishing page pressures users with penalty warnings and a 48-hour deadline. A “Download Official Zip” button then delivers the malicious archive, setting Operation TaxShadow into motion. Notably, the same infrastructure has also been repurposed to impersonate a Japanese tax authority, pointing toward a multi-region targeting strategy.

Inside the Malware Package

The ZIP archive contains three files: कर विवरण.exe, SbieDll.dll, and SbieDll.bin. The first file acts as a host loader, performing mutex checks and environment setup before abusing DLL Search Order Hijacking to load the malicious SbieDll.dll instead of a legitimate library.

This DLL then installs multiple API hooks targeting functions like AccessCheckByType, CreateFileW, and SetThreadToken. These hooks grant the malware elevated access, suppress errors, and manipulate security tokens. The DLL also runs a Mersenne Twister-based virtual machine to randomize execution patterns, making each infection look slightly different.

Memory-Only Execution and Stealthy Communication

The final component, SbieDll.bin, holds shellcode encrypted with a mutated RC4 cipher. Once decrypted, a Reflective PE Loader builds and runs the payload directly in memory, skipping disk writes entirely. Control Flow Flattening further obscures the code’s logic, making reverse engineering significantly harder.

For command-and-control, Operation TaxShadow establishes WebSocket connections disguised as normal HTTP traffic. The malware is also proxy-aware, letting it tunnel through corporate networks undetected. During testing, researchers observed the malware injecting into svchost.exe and mitmweb.exe while communicating with an external IP over port 1234.

Possible Origins and Broader Implications

Researchers found Chinese-language comments embedded in the phishing site’s source code, including a string that translates to “Official Tax Notice.” While this doesn’t confirm attribution, the report notes that such artifacts alone are insufficient for definitive attribution and therefore remain at a moderate level of confidence.

The malware‘s internal name, “SandboxieCrypto.exe,” along with its use of legitimate services like SendGrid for email delivery, shows a deliberate effort to blend in with normal activity.

Staying Protected

Organizations should train staff to recognize government-impersonation phishing, especially around tax deadlines. Email filtering that flags lookalike domains can help, even when SPF, DKIM, and DMARC checks pass. Because Operation TaxShadow relies on memory-resident execution, endpoint tools that monitor behavior rather than just files offer better detection odds. Given the campaign’s modular design, security teams should watch for unusual DLL loading, COM-based execution, and WebSocket traffic to unfamiliar IPs.