Cyber Thieves Deploy In-Memory Malware Through Tax-Related Phishing Email Campaigns
In a troubling trend, cybercriminals have been increasingly utilizing tax-themed phishing emails to spread complex in-memory malware specifically targeting Windows systems. This emerging tactic allows these malicious actors to circumvent traditional security measures that rely on detecting malicious code by scanning files saved on disk.
The attack typically begins when unsuspecting users receive emails that appear to be from legitimate organizations, containing attachments labeled as official tax documents, W-2 forms, or notifications about rejected tax forms from recognized entities such as Intuit QuickBooks or HM Revenue & Customs. Upon opening these attachments, victims unwittingly set off a multi-stage execution process that cleverly avoids writing any malicious code to disk. Instead, the attackers exploit legitimate Windows administrative tools—including PowerShell, mshta.exe, and Windows Management Instrumentation—to execute shellcode loaders solely in memory.
Recent analyses have linked this specific wave of attacks to a threat actor known as Silver Fox, who has been zeroing in on Indian organizations and individuals. The tailored phishing attempts feature tax-themed lures that convincingly emulate communications from regulatory bodies, thereby increasing the likelihood of victims falling for the scam.
The process often starts with a PDF attachment masquerading as an authentic tax document, which, when accessed, directs victims to a website housing a ZIP archive. Within this ZIP file, an NSIS installer drops a legitimate signed binary alongside a malicious dynamic-link library (DLL) designed to load through DLL hijacking, effectively evading traditional security checks.
According to a report by CYFIRMA shared with GBHackers, the latest campaigns identified in early 2026 illustrate how these attackers impersonate tax agencies and financial organizations with the ultimate goal of stealing sensitive information while deploying advanced remote access trojans entirely within a system’s memory. Further protective measures employed by the malware involve LLVM-based Control Flow Flattening (CFF), which safeguards the execution process, and the establishment of WebSocket-based Command-and-Control (C2) communication secured through HTTP protocol upgrades.
The malicious DLL orchestrates a variety of harmful activities, including anti-debugging checks, disabling Windows Update services, decrypting embedded payloads, and utilizing process injection techniques to infiltrate legitimate Windows processes. A shellcode loader, generated via Donut, facilitates the wrapping and execution of the final payload exclusively in memory, thus sidestepping the disk artifacts that antivirus solutions typically scrutinize. The ultimate payload manifests itself as a modular remote access trojan endowed with functionalities for keylogging, remote shell access, file transfers, and dynamic plugin execution.
This rise in in-memory malware—often termed fileless malware—represents a significant evolution in cyber attack methodologies. By executing solely in system memory without leaving behind persistent files on disk, these threats pose substantial challenges for detection and eradication. An example of such sophistication is reflected in the static analysis of SbieDll.dll, identified as a 64-bit Portable Executable Dynamic Link Library, which was compiled using Microsoft Visual C/C++ with Visual Studio 2022.
One of the more insidious elements of this approach is the use of "living-off-the-land" techniques, where attackers exploit legitimate system tools to gain persistence through entries in registry run keys and startup folders. This complexity makes identification and remediation increasingly difficult for security teams, as noted in cybersecurity discussions regarding the evolving threat landscape.
Moreover, Proofpoint’s 2025 tax season report revealed over 100 malicious operations impersonating tax agencies, which included campaigns distributing various types of malware such as Rhadamanthys, zgRAT, and MetaStealer, among others. Another highlighted campaign even involved the dissemination of Remcos RATs through bogus tax documents, employing PowerShell scripts and Microsoft shortcut files to quietly execute harmful HTA files via mshta.exe.
Rather than initiating a standard new thread through Windows APIs that are often monitored by Endpoint Detection and Response (EDR) solutions, this malware cleverly executes shellcode through a COM IContextCallback::ContextCallback handler.
The Silver Fox campaign exemplifies the intricate, multi-tiered command-and-control communications employed by cybercriminals, featuring configurable beaconing intervals designed to minimize detection risks. This sophisticated approach underscores the need for heightened security measures during tax season, particularly as nation-state threat actors increasingly combine social engineering tactics with advanced malware techniques targeting specific demographics.
To counteract such threats, security teams must prioritize detecting irregular execution patterns such as unusual uses of PowerShell, unexpected mshta.exe downloads, and attempts at DLL hijacking. Organizations are also urged to educate employees on recognizing phishing attempts, particularly during tax season when urgency and fear regarding potential financial penalties are at their peak.
Implementing application whitelisting, monitoring for living-off-the-land techniques, and deploying advanced memory-scanning capabilities are essential strategies for defending against these elusive attacks. The effectiveness of tax-themed phishing attempts largely derives from victims’ expectations of communication from authoritative organizations and their concerns regarding fines for improperly submitted tax information.
As threat intelligence evolves to adapt to threats from phishing-as-a-service platforms like RaccoonO365 that deploy Remcos RATs and BruteRatel C4, defenders must likewise advance their detection strategies beyond conventional file-based antivirus solutions. This heightened vigilance and proactive approach will be crucial in mitigating the growing risks posed by such sophisticated cyber threats.
Furthermore, identifying Indicators of Compromise (IOCs) remains pivotal in thwarting these attacks. Notable IOCs include various domains and SHA-256 hashes associated with malicious activities that require prompt blocking to safeguard networks from the in-memory malware threat landscape.