Fake Indian Tax Notice Drops XWorm RAT via Multi-Stage .NET Loader
A financially motivated campaign targeting Indian Windows users delivers a RAT — likely XWorm — through fake Income Tax Department assessment notices and a multi-stage .NET loader.
Cybercriminals are now using fake government tax notices to push dangerous malware onto Windows computers, and the tactic is proving alarmingly effective. A newly uncovered campaign targets users in India by impersonating the Income Tax Department, tricking victims into downloading what appears to be an official assessment order. The moment someone takes the bait, a chain of malicious events begins quietly, giving attackers full remote access to the infected machine.
The attack works by directing victims to a fraudulent website that closely mimics legitimate government tax communications. The site presents a fabricated assessment order filled with tax terminology, legal references, and financial penalties designed to create urgency. At the center sits a button labeled “Download Assessment Order & Workings,” which initiates the download of a malicious ZIP file disguised as official documentation. Researchers at Cyfirma identified this campaign and noted the threat actor went to significant lengths to make everything appear trustworthy.
Once downloaded, the ZIP archive unpacks a disk image file named Tax_Assessment.img, which contains two core malicious components working together in a staged execution chain. The executable Tax_Assessment.exe is a .NET loader that uses reflection to load and run the DLL payload libsvcs.dll without holding the core malicious code itself. Both files were protected using ConfuserEx, an obfuscation tool that scrambles code to hinder detection by security software. The loader hides its console window, modifies registry settings, and uses spoofed metadata to blend in with legitimate Windows components.
The DLL carries full RAT capabilities, including startup registration, scheduled task creation, system information collection, user activity monitoring, and encrypted communication back to the attacker. Its behavior closely matches the XWorm RAT family, a commodity tool popular among financially motivated actors. This flexibility makes the malware well-suited for long-term unauthorized access to any machine it compromises.
The malware communicates with a hardcoded command-and-control server at 103.231.12.27 over port 4444, geolocated in Hong Kong. All traffic is encrypted using a 32-byte key embedded in the malicious DLL, making interception extremely difficult without prior knowledge of the key. The fraudulent domain harivo[.]vip, which hosted the fake tax portal, was registered in September 2025 and is tied to the same Hong Kong-based infrastructure. Cyfirma assesses the campaign as the work of a financially motivated actor, though firm attribution remains unconfirmed.
The campaign is particularly alarming because it exploits the anxiety many people feel around tax compliance season. By combining realistic government branding with technical evasion, the attackers built a lure that can fool even cautious users. The malware poses a serious threat to both individual taxpayers and organizations whose employees fall victim.
Security teams should monitor outbound traffic to unknown external IPs and block execution of files delivered through downloaded archives or mounted disk images. Organizations should train employees to verify tax-related communications through official government portals before downloading anything. Recognizing urgent compliance messages and fake government prompts remains one of the most practical defenses available. If RAT activity is confirmed, incident response teams should isolate the affected system immediately and collect forensic artifacts for thorough investigation.