Operation TaxShadow Uses In-Memory Malware via Tax Phishing

A new cyber threat campaign, dubbed Operation TaxShadow, is leveraging convincing phishing emails that impersonate Indian government tax authorities to deliver multi-stage, in-memory malware onto Windows systems. Active since at least May 20, 2026, the operation aims to exploit user panic by warning of financial penalties and demanding immediate action. The phishing emails are designed to bypass standard security measures, including SPF, DKIM, and DMARC checks, by being sent through legitimate third-party email delivery services, ensuring they reach user inboxes without triggering spam filters.

The attack chain begins with a meticulously crafted email that mimics official government branding and language, often in both English and Hindi. Recipients are directed to a fake government website, nearly identical to the real one, where they are prompted to download a ZIP file. This archive, disguised as an official tax document, contains the malware payload. Researchers at Cyfirma identified the campaign and noted its reach extends beyond India, with similar phishing infrastructure found hosting fake Japanese government tax portals, indicating a mature and well-resourced threat actor.

The primary danger of Operation TaxShadow lies in its malware's execution method. The payload is designed to run almost entirely in the system's memory, writing minimal to no data to the disk. This in-memory execution is a highly effective evasion technique that bypasses many traditional antivirus and endpoint detection solutions, which primarily rely on scanning files on disk. The malware also establishes a persistent command-and-control (C2) connection using WebSocket, a protocol commonly used by legitimate web applications, making its network traffic difficult to distinguish from normal activity.

The malicious ZIP archive contains three distinct files: a launcher, a loader DLL (SbieDll.dll), and an encrypted payload (SbieDll.bin). The launcher prepares the system environment, installs hooks into critical Windows functions, and then passes control to the loader. This modular approach helps in obfuscating the final payload and limiting the exposure of each component. The loader exploits the DLL Search Order Hijacking vulnerability, a technique where Windows loads a malicious DLL from an application's directory instead of a legitimate system DLL.

Once loaded, the SbieDll.dll loader manipulates access tokens and removes permission barriers to facilitate the execution of the final stage. The core payload, encrypted within SbieDll.bin, is decrypted at runtime and loaded directly into memory using Reflective PE Loading. This process ensures that no executable file is ever written to the disk, making detection exceptionally challenging for signature-based security tools.

For C2 communication, the malware utilizes WebSocket connections, which can be upgraded from standard HTTP requests, creating a persistent channel that blends with regular web traffic. It also supports HTTP CONNECT, allowing it to route communications through corporate proxies and bypass network security controls. To further evade analysis, the malware employs a Mersenne Twister-based engine that alters its execution behavior with each infection, rendering signature-based detection unreliable. Techniques like Control Flow Flattening and runtime API resolution through hashing are used to obscure its malicious intent from static analysis.

Cyfirma's analysis revealed Chinese-language strings within the phishing page source code, suggesting a potential origin, though this is not definitive proof of the attackers' nationality. To mitigate this threat, organizations are advised to conduct regular security awareness training focusing on phishing and government impersonation tactics. Technical teams should implement YARA and Sigma rules to detect DLL hijacking, reflective loading, and WebSocket C2 patterns, and enable continuous memory monitoring to catch threats that evade conventional defenses.