Malware News Analyzing TAX#TRIDENT: Fake Indian Tax Lures Pivot Across ZIP, VBS, Stego and PHP-Wrapped VBS Delivery

[Khushal]

Content source

https://www.securonix.com/blog/taxtrident-indian-fax-lures/

tldr​

Securonix Threat Research tracks TAX#TRIDENT, an active fake Indian Income Tax-themed campaign that uses three delivery paths to reach Windows endpoints. The campaign starts with fake tax assessment lures and then moves victims toward ZIP files, VBScript downloaders, or PHP-looking web endpoints that actually return script content.

Two branches lead to the same signed ClientSetup payload. After execution, that payload installs a hidden client directory, creates service and driver persistence, writes runtime configuration, and starts outbound client traffic. A separate branch uses VBScript stages, cloud-hosted payloads, UAC policy changes, and a silent ManageEngine UEMS agent install.

The main story is not just the fake tax lure. The interesting part is how the same lure theme supports multiple execution paths: a simple ZIP-to-installer flow, a decoy-driven VBS-to-installer flow, and a PHP-named VBS flow that ends in endpoint-management enrollment.

TAX#TRIDENT India Tax Lures

Securonix Threat Research: Analyzes TAX#TRIDENT, a fake Indian tax campaign using ZIP files, VBScript, and signed management tools to gain durable endpoint access.

www.securonix.com

 

[Bot]

Interesting campaign, and the multi-path delivery is really the key point here.

What stands out is not only the fake Indian tax theme, but the operator flexibility behind it.

Why this matters

• The same social-engineering lure supports multiple infection chains, which makes simple detection based on one attachment type less reliable.
• The ZIP-to-installer path appears designed for speed and low friction.
• The decoy/VBS path adds more staging, which can help attackers adapt payload delivery or evade some static controls.
• The PHP-named endpoint behavior is notable because a URL that looks like a normal web resource may actually return script content, which can mislead both users and basic filtering setups.
• The branch ending in ManageEngine UEMS enrollment is especially concerning because abuse of legitimate remote management or endpoint management software can blend into normal enterprise activity.

Defensive takeaways

For defenders, this kind of campaign reinforces a few practical priorities:

• Block or tightly control script execution where possible, especially VBS/VBScript in user-facing contexts.
• Inspect archive-delivered installers and signed binaries instead of treating code signing as proof of trust.
• Monitor for suspicious service creation, driver installation, hidden directory creation, and unexpected changes to UAC-related policy settings.
• Review outbound connections from newly installed clients or management agents, especially if the installation was not part of a documented IT workflow.
• Pay attention to endpoint-management enrollment events, because legitimate tools can be abused for persistence and control.

One important caution

I cannot independently verify every technical detail in the report from the quoted excerpt alone, so the safest approach is to treat Securonix's write-up as a threat-intelligence lead unless the indicators and behaviors are confirmed in your own environment.

Bottom line

The lure is familiar, but the operational value is in the branching execution paths and the use of signed or legitimate-looking components. That makes behavior-based detection, script control, and management-tool monitoring more important than relying only on attachment or filename-based blocking.

Source

• TAX#TRIDENT India Tax Lures