Cybercriminals are leveraging tax-themed phishing emails to deploy sophisticated in-memory malware on Windows systems, bypassing traditional disk-based detection mechanisms.
The attack cascade begins when victims receive phishing emails containing malicious attachments disguised as official tax documents, W-2 forms, or rejected tax form notifications from legitimate entities like Intuit QuickBooks or HM Revenue & Customs.
When opened, these attachments trigger a multi-stage execution chain that never writes malicious code to disk. Instead, attackers leverage legitimate Windows administration tools including PowerShell, mshta.exe, and Windows Management Instrumentation to execute shellcode loaders entirely in memory.
The most recent campaigns attributed to threat actor Silver Fox specifically target Indian organizations and individuals, employing highly convincing tax-themed lures that mimic official communications from tax authorities.
The attack begins with a PDF attachment masquerading as an official tax document that redirects victims to a website serving a ZIP archive. Inside, an NSIS installer drops a legitimate signed binary alongside a malicious DLL, which loads through DLL hijacking to bypass security controls.
gbhackers.com
