{
  "name": "Operation TaxShadow: Multi-Region Tax Phishing & In-Memory Malware Campaign",
  "slug": "operation-taxshadow-multi-region-tax-phishing-in-memory-malware-campaign",
  "description": "A sophisticated multi-stage malware campaign targets victims through tax-themed phishing emails impersonating Indian and Japanese government authorities. The operation leverages social engineering, fraudulent tax notifications, and trusted third-party email delivery services to distribute ZIP archives containing three staged payloads. The malware implements advanced evasion techniques including DLL Search Order Hijacking, API hooking, token manipulation, Mersenne Twister-based execution logic, COM callback execution, mutated RC4 encryption, and reflective PE loading. Execution occurs primarily in memory, significantly reducing forensic artifacts. The malware establishes persistent WebSocket-based command-and-control communication through HTTP protocol upgrades, allowing malicious traffic to blend with legitimate activity. Chinese-language artifacts were observed throughout the infrastructure and code, though attribution remains at moderate confidence. The campaign demonstrates characteristics of a mature, ...",
  "published": "2026-06-04T20:52:20+00:00",
  "created_at": "2026-06-04T20:52:20+00:00",
  "modified_at": "2026-06-05T04:41:47+00:00",
  "created_at_opencti": "2026-06-04T20:52:20+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-06-04",
    "dll hijacking",
    "government impersonation",
    "in-memory execution",
    "multi-stage payload",
    "reflective loading",
    "tax phishing",
    "token manipulation",
    "websocket c2"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "be31a63cad112723178289968ad6f93a576c5a7984099c42eec3521cdf6e5fc0"
      },
      {
        "id": "",
        "name": "949acbe543fc244ffbc981ea169067da7c5792af3c3d19b2c31b3d7e19106880"
      },
      {
        "id": "",
        "name": "7d87a86dbd2379ef2516c99258137cd9c25ca19c48aeb096c5332c02fcbf16d0"
      },
      {
        "id": "",
        "name": "4c9061a07d667bf7dd6f597a43a8552af2f4277b7be06d6ea138abdb668d6a49"
      },
      {
        "id": "",
        "name": "185b7a487316454da04e9cc0fe6eb370bb2955cf6096fe3e8c02c46f8989ba37"
      }
    ],
    "attack_patterns": [
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "6aa7866f-9c1f-4159-938a-10a6adf41646",
        "name": "T1553"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266",
        "name": "T1134"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6",
        "name": "T1189"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "2fca0274-42fc-483e-a1e3-d9c4ba687d2d",
        "name": "T1574.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "British Indian Ocean Territory"
      },
      {
        "id": "",
        "name": "Japan"
      },
      {
        "id": "",
        "name": "zhengfu666.com"
      },
      {
        "id": "",
        "name": "naiqja.icu"
      },
      {
        "id": "",
        "name": "appradarr.cc"
      },
      {
        "id": "",
        "name": "taxations.cn-web-okooo.com"
      },
      {
        "id": "",
        "name": "d.pc-weide.com"
      },
      {
        "id": "",
        "name": "asdqxcdsa.icu"
      },
      {
        "id": "",
        "name": "mnb-ny.com"
      },
      {
        "id": "",
        "name": "guhxmg.com"
      },
      {
        "id": "",
        "name": "zh-welcome-1xbet.com"
      },
      {
        "id": "",
        "name": "ws4962.com"
      }
    ]
  },
  "external_refs": [
    "https://www.cyfirma.com/research/operation-taxshadow-multi-region-tax-phishing-in-memory-malware-campaign/",
    "https://otx.alienvault.com/pulse/6a2201a401cb916346d57934"
  ]
}