Attackers are impersonating India’s Income Tax Department in a phishing campaign that lures users to the fraudulent domain harivo[.]vip and prompts them to download a fake tax assessment archive. Researchers said the ZIP file leads to a staged infection chain involving a disk image and a .NET loader, ultimately executing Tax_Assessment.exe and libsvcs.dll to install a RAT-like payload on Windows systems while abusing trusted government branding to increase credibility.
The malware uses ConfuserEx obfuscation, reflection-based DLL loading, and other defense-evasion techniques, and its behavior reportedly aligns closely with XWorm. Once launched, it establishes persistence, performs system reconnaissance and user monitoring, enables remote command execution, and communicates with a hardcoded command-and-control server at 103.231.12.27:4444 over encrypted channels, giving the threat actor sustained remote access; the infrastructure has been linked to a domain reportedly registered in September 2025, and researchers assess the operation as likely financially motivated.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
The phishing infrastructure used in the fake Income Tax Department campaign included the domain harivo[.]vip, which the reporting says was registered in September 2025.
Cyfirma identified a phishing and malware campaign targeting users in India by impersonating the Income Tax Department with fake assessment notices hosted on harivo[.]vip. The infection chain reportedly delivered a RAT-like payload using a ZIP archive, disk image, and obfuscated .NET loader that communicated with 103.231.12.27:4444.
Seqrite reported that Operation DragonReturn, a spear-phishing campaign impersonating India’s Income Tax Department, was first observed on 2026-05-18 and assessed with medium-to-high confidence to be linked to a China-aligned threat cluster based on infrastructure overlaps, Chinese-language artifacts, and TTP similarities with Silver Fox.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
seqrite.com
Open sourcecybersecuritynews.com
Open sourcecommunity.gurucul.com
Open sourcecyfirma.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.