Researchers reported that the TAX#TRIDENT campaign is targeting Windows users in India with fake Income Tax assessment notices that lure victims into downloading malicious files. The operation relies on social engineering rather than software exploits and uses multiple delivery chains, including ZIP archives, VBScript downloaders, and a .php endpoint that actually serves VBScript. Across the campaign, attackers rotate domains, decoy documents, and payload delivery paths while keeping the same tax-themed lure, reducing the effectiveness of static blocklists and signature-based defenses.
Two infection chains deliver a signed ClientSetup payload linked to SyncFuture/Yangtu/YTSCRat-style tooling, creating a hidden msres directory, installing the MANC service and YtMiniFilter/ytdisk drivers, writing YTSysConfig data, and launching a fake svchost.exe that maintains communications over ports 6671, 6681, and 6683. A third chain abuses a legitimate ManageEngine UEMS agent, staging files in Public Documents, disguising copied LOLBins as DLLs, lowering UAC prompt behavior, silently installing UEMSAgent.msi, and enrolling infected hosts to attacker-controlled infrastructure at 202.61.160.201 over ports 8383 and 8027. Researchers said the tooling reflects abuse of China-linked commercial software but did not attribute the campaign to a specific threat actor, and urged defenders to prioritize behavioral indicators such as unusual svchost.exe paths, hidden system-folder directories, script engines executing web-style files, suspicious outbound ports, and unauthorized UAC policy changes.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Securonix released a public report detailing persistence, drivers, hidden directories, fake svchost.exe execution, network communications, and UAC policy changes associated with TAX#TRIDENT. The researchers assessed the tooling as abuse of China-linked commercial software but did not attribute the campaign to a specific threat actor.
Securonix reported that the campaign used multiple delivery paths including ZIP archives, VBScript downloaders, and a PHP-named endpoint that actually served VBScript. Two chains delivered a signed ClientSetup remote-management payload, while a third installed a signed ManageEngine UEMS agent configured to communicate with attacker-controlled infrastructure.
An active campaign dubbed TAX#TRIDENT used fake Indian Income Tax assessment lures to socially engineer Windows users into downloading malicious files. The operation relied on tax-themed decoys rather than exploiting software vulnerabilities.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourcesecuronix.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.