CYFIRMA Research

CYFIRMA Research: Operation TaxShadow- Multi-Region Tax Phishing & In-Memory Malware Campaign

CYFIRMA

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 7:03

Threat Research: Operation Tax Shadow

Explore CYFIRMA's latest report regarding a tax-themed phishing campaign impersonating government tax authorities across multiple countries.

• Multi-stage malware delivery via ZIP archive
 • DLL Search Order Hijacking for stealthy execution
 • API Hooking and Access Token Manipulation
 • COM Callback-based code execution to evade monitoring
 • Modified RC4 encryption protecting payloads
 • Reflective PE Loading enabling memory-resident execution
 • LLVM-based Control Flow Flattening (CFF) for anti-analysis
 • WebSocket-based Command-and-Control communication
 • Infrastructure reuse observed across Indian and Japanese tax-themed phishing portals
 • Chinese-language artifacts identified during analysis
• C2 Communication observed with 43[.]128[.]54[.]184:1234
•Self-protection mechanisms make the malware difficult to terminate during execution

Impact: Full remote access, in-memory execution, and advanced defense evasion capabilities.

Link to the Research Report: https://www.cyfirma.com/research/operation-taxshadow-multi-region-tax-phishing-in-memory-malware-campaign/

#CYFIRMAresearch #ThreatIntelligence #MalwareAnalysis #CyberSecurity #ThreatResearch #Phishing #SOC #ThreatHunting #CYFIRMA #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/