TL;DR — A phishing campaign is impersonating the Government of India / Income Tax Department (“कर दंड सूचना – भारत सरकार” / Tax Penalty Notice) to deliver ValleyRAT. Victims receive emails from free webmail providers (Proton Mail, Yahoo, etc.), click through to a freshly‑registered lure domain, and download Tax-Number70863.zip. The ZIP contains an ISO image (Tax-Number70863.iso) — a classic Mark‑of‑the‑Web bypass — which, when mounted, presents a single executable disguised with a fake Google Chrome icon to mislead the user into running it. The payload establishes persistence via a Run key and COM hijacking, injects into ngen.exe, drops a kernel driver, steals browser credentials, and beacons to a raw‑IP C2 on 103.59.103[.]30:8888.

This is a defensive threat‑intelligence writeup. All malicious indicators below are defanged. Do not re‑arm and visit them on a production machine.

1. Why this campaign matters

ValleyRAT (a remote access trojan historically associated with China‑nexus activity and Chinese‑speaking targets) is increasingly being repurposed against Indian victims. I came across this sample while hunting for India‑themed tax lures — the phishing page is squarely aimed at Indian taxpayers, impersonating the Income Tax Department / Government of India with a fake “tax penalty” notice, and the delivery leans on free, high‑reputation webmail to slip past sender‑reputation filtering.

I pulled the sample and detonated it manually in my sandbox environment on 2026‑06‑24. Here’s what I found:

Field Value
Family ValleyRAT (valleyrat_s2)
Classification Malicious — backdoor, stealer, spyware
Capabilities persistence, privilege escalation, discovery, credential theft
Analysis platform Windows 11 (isolated VM)
Analysis date 2026‑06‑24
Tooling Process Monitor, Wireshark, API Monitor, manual registry review

2. Delivery: phishing from free webmail

The campaign is distributed through phishing emails sent from free webmail accounts — Proton Mail, Yahoo, and similar providers. Using legitimate, well‑reputed mail infrastructure (rather than attacker‑owned domains) helps the messages pass SPF/DKIM/DMARC alignment for the sending domain and avoids the reputation penalties that newly‑registered sender domains attract.

The emails carry a government/tax‑penalty theme and link to an attacker‑controlled lure page. From there the chain is entirely web‑delivered — no malicious attachment is needed in the email body itself, which further reduces detonation at the mail gateway.

3. The lure page

The URL I detonated was:

hxxps://laiwnndye[.]love

The page impersonates an Indian government tax‑penalty notice. I cross‑referenced it on urlscan.io, which flagged it Potentially Malicious, explicitly noting it targets the Indian Government brand.

Fake “Income Tax Department” penalty notice used as the lure, impersonating the Ministry of Finance, Government of India

The lure is a polished bilingual (Hindi/English) “Office Memorandum” engineered to manufacture authority and urgency:

  • Impersonates: Income Tax Department, Ministry of Finance, Government of India — “Enforcement Division”, Aayakar Bhawan, New Delhi – 110001, complete with the official emblem.
  • Reference number: TAX/PEN/2026-142 — a fabricated case ID for legitimacy.
  • Subject: “कर अनुपालन की कमी और दंड सूचना / Tax Compliance Deficiency and Penalty Notice.”
  • Pretext: claims a tax inspection found irregularities under Section 271(1)(c) of the Income Tax Act, 1961.
  • Urgency: demands documents be submitted within 72 hours (3 days), threatening legal action under Section 276C otherwise.
  • Spoofed authority: signed “Raj Kumar Sharma, Assistant Commissioner of Income Tax”; sender [email protected][.]in; addressed “To: All concerned taxpayers.”

The deadline‑plus‑legal‑consequence framing is textbook social engineering — it pressures the target into clicking before verifying. The page presents a bilingual download prompt — "📄 दस्तावेज़ डाउनलोड करें / Download Documents" — that points to a second‑stage delivery host:

hxxps://pzidiauwytsd[.]eu[.]cc/d/0a2044b83ca0

Infrastructure indicators

Indicator Detail
Lure domain laiwnndye[.]love
Lure IP 103.23.172[.]117 : 443
Delivery domain pzidiauwytsd[.]eu[.]cc
Delivery IP 103.23.172[.]118 : 443
Hosting ASN AS997BSL-AS-AP, Beyotta Services LLP
Domain created 2026‑06‑19 (≈4 days before analysis)
Registrar Gname.com Pte. Ltd.
TLS cert Issued by YR1 on 2026‑06‑22, valid 3 months

Note the two delivery hosts are adjacent IPs in the same /24 (.117 and .118) on the same ASN — a small, disposable, single‑purpose infrastructure cluster typical of short‑lived phishing waves. The .love and .eu.cc TLDs are cheap/free and routinely abused.

4. Attack chain at a glance

  Phishing email                Free webmail (Proton / Yahoo / …)
  "Income Tax penalty"   ──────────────────────────────────────┐
                                                                ▼
  laiwnndye[.]love  ── "Download Documents" ──►  pzidiauwytsd[.]eu[.]cc/d/...
   (fake IT notice)                                   │
                                                       ▼
                                       Tax-Number70863.zip   (Mark-of-the-Web)
                                                       │  unzip
                                                       ▼
                                       Tax-Number70863.iso   (MOTW bypass)
                                                       │  double-click → mount as E:\
                                                       ▼
                                       Tax-Number70863.exe   (fake Chrome icon)
                                                       │     ValleyRAT loader
                         ┌─────────────────────────────┼───────────────────────────┐
                         ▼                              ▼                           ▼
              Persistence                     Defense evasion              Collection / C2
   • Run key  HKLM\...\Run\USB3YT     • Inject → ngen.exe                • Steal browser creds
   • COM hijack (2x CLSID)              (SetThreadContext +                 & cookies
   • Task Scheduler COM                 WriteProcessMemory)              • Keylog (SetWindowsHookEx)
                                       • Drop driver pcdhost.sys         • Beacon 103.59.103[.]30:8888
                                       • Anti-sandbox disk/SCSI checks

5. Host behaviour (what I observed)

5.1 Download & execution

I navigated to the lure URL in my sandbox using Edge:

msedge.exe --start-maximized --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://laiwnndye.love

The ZIP landed in Downloads carrying a Zone.Identifier Alternate Data Stream — i.e., Mark‑of‑the‑Web (MOTW), confirming an internet download:

C:\Users\<user>\Downloads\Tax-Number70863.zip   (NTFS ADS: Zone.Identifier)

Extracting the ZIP, I found it doesn’t contain an executable directly — instead it holds an ISO disk image, Tax-Number70863.iso. This is a deliberate MOTW bypass (T1553.005): while the outer ZIP carries the Zone.Identifier, files inside a mounted ISO volume do not inherit MOTW. This means SmartScreen and other MOTW‑aware defenses will not prompt/block when the user runs the payload.

When I double‑clicked the ISO, Windows mounted it as a virtual drive (E:\). Inside was a single file:

Tax-Number70863.exe — disguised with a fake Google Chrome icon to appear as a harmless browser shortcut rather than an executable.

Tax-Number70863.exe masquerading with a fake Google Chrome icon

This icon masquerading (T1036.005) is a simple but effective trick — a non‑technical user sees the familiar Chrome logo and double‑clicks without suspicion. The E:\ drive letter in my sandbox logs confirms the ISO‑mount delivery path:

\??\E:\Tax-Number70863.exe

Once executed, the loader copies itself to a persistent staging directory:

C:\ProgramData\USB3YT\Tax-Number70863.exe

5.2 Persistence — belt and braces

Checking the registry and scheduled tasks after execution, I found ValleyRAT had installed two independent persistence mechanisms:

  1. Registry Run key (T1547.001): 
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USB3YT =
  cmd /c start "" /D "C:\ProgramData\USB3YT" Tax-Number70863.exe
  2. COM hijacking (T1546.015) — writing LocalServer32 under attacker CLSIDs so a legitimate COM lookup loads the payload: 
    HKCU\...\CLSID\{DFF20505-B08F-455B-AD70-4FBD055088E0}\LocalServer32
HKCU\...\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
    It additionally touches the Task Scheduler COM API and a Windows Terminal StartTerminalOnLoginTask.

5.3 Defense evasion & injection

Monitoring API calls and process activity, I observed:

  • Process injection into ngen.exe (the .NET Native Image Generator, a signed Microsoft binary) via SetThreadContext + WriteProcessMemory — a living‑off‑the‑land host for the implant. I also captured calls to NtCreateUserProcessBlockNonMicrosoftBinary.
  • Drops a kernel driver: C:\Windows\System32\drivers\pcdhost.sys and exercises LoadsDriver — a potential kernel/BYOVD component for tamper protection or privilege work.
  • Anti‑sandbox / discovery: I noticed it enumerating physical disks and SCSI/CD‑ROM registry keys (e.g. checking for Msft Virtual DVD-ROM and the disk model WDC WDS100T2B0A), system language, time zone, and connected drives — classic VM/sandbox fingerprinting before committing.

5.4 Collection — stealer + spyware

On the collection side, I saw:

  • Browser credential/cookie theft (T1555.003): it read Chrome/Edge User Data directories, and I observed it invoking Edge helper binaries cookie_exporter.exe and identity_helper.exe.
  • Keylogging / UI surveillance: I caught SetWindowsHookEx, GetForegroundWindowSpam, and SendNotifyMessage calls — clear indicators of keystroke logging and window monitoring.
  • Local file harvesting (T1005 / T1552.001 — credentials in files).

5.5 Command & control

Watching the network traffic in Wireshark, I saw the implant beacon out to a raw‑IP C2 with no associated domain on a non‑standard port:

103.59.103[.]30 : 8888   (TCP, Hong Kong)

The absence of a domain, the high port, and the repeated TCP sessions I captured are strong tells for ValleyRAT second‑stage C2 — and a clean network detection opportunity.

6. MITRE ATT&CK mapping

Tactic Technique ID
Persistence Registry Run Keys / Startup Folder T1547.001
Persistence / Priv‑Esc Event Triggered Execution: COM Hijacking T1546.015
Defense Evasion Masquerading: Match Legitimate Name or Location T1036.005
Defense Evasion Subvert Trust Controls: Mark‑of‑the‑Web Bypass T1553.005
Defense Evasion Modify Registry T1112
Defense Evasion Process Injection (SetThreadContext) T1055
Credential Access Credentials from Web Browsers T1555.003
Credential Access Unsecured Credentials: Credentials In Files T1552.001
Discovery System Information Discovery T1082
Discovery Peripheral Device Discovery T1120
Discovery Query Registry T1012
Discovery System Language / Location Discovery T1614.001
Discovery System Time Discovery T1124
Collection Data from Local System T1005
Command & Control Non‑Standard Port T1571

7. Indicators of Compromise (defanged)

Network

Type Indicator Role
Domain laiwnndye[.]love Lure / fake IT notice
Domain pzidiauwytsd[.]eu[.]cc Payload delivery
IPv4 103.23.172[.]117 Lure host (AS997)
IPv4 103.23.172[.]118 Delivery host (AS997)
IPv4:port 103.59.103[.]30:8888 C2 (high confidence)
URL hxxps://pzidiauwytsd[.]eu[.]cc/d/0a2044b83ca0 Download link

Files

File Hash
Tax-Number70863.zip MD5 2e6ffddcc1d92de656f02c290fde19a3
SHA256 6d2313dc89baa6e441ce951f20201ed91355d22865fe7d85bfa5ffdcd059095c
Tax-Number70863.iso (MOTW bypass) SHA256 461f17b954e9d24b6f2164f99146b6b28cfea49dfce8dbbb5130b885ba814973
Tax-Number70863.exe (payload) MD5 bf62f6760a9b86f66822fa59140aef8b
SHA256 1fae7d654695f7c4e0f4bb8a42a4c33137652effc360b998708c6ffcac1380e6
pcdhost.sys (driver) MD5 78518c0636da8f3bf1bbeefbeb2b4920
SHA256 7b3f8fa5844d829142002d47c2df8573c7d67defe4171414c6a015a38afe55f5
debug.log MD5 0a1ba01c1cdb537dee737d41b31f1cdb
SHA256 d087c3f0036b7e4f4c114852ba17469f2e79e491b5e9fc21b498e399c59b3f71

Host artifacts

C:\Users\<user>\Downloads\Tax-Number70863.zip   (Zone.Identifier ADS)
C:\Users\<user>\Downloads\Tax-Number70863.iso   (mounted as E:\)
C:\ProgramData\USB3YT\Tax-Number70863.exe
C:\ProgramData\USB3YT\debug.log
C:\Windows\System32\drivers\pcdhost.sys
\??\E:\Tax-Number70863.exe

Run key:   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USB3YT
COM CLSID: {DFF20505-B08F-455B-AD70-4FBD055088E0}
COM CLSID: {018D5C66-4533-4307-9B53-224DE2ED1FE6}
Injection target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

8. Detection & hunting (KQL — Microsoft Defender / Sentinel)

1) ProgramData executable launched via cmd /c start (staging + persistence pattern):

DeviceProcessEvents
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_all ("start", @"C:\ProgramData\") 
        and ProcessCommandLine has ".exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

2) Suspicious Run‑key persistence pointing into ProgramData:

DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"\CurrentVersion\Run"
| where RegistryValueData has @"C:\ProgramData\"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData

3) Beacon to the C2 (IP and/or unusual port 8888):

DeviceNetworkEvents
| where RemoteIP == "103.59.103.30" or RemotePort == 8888
| where InitiatingProcessFileName !in~ ("known-good-proxy.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl

4) ngen.exe making outbound network connections (it normally shouldn’t):

DeviceNetworkEvents
| where InitiatingProcessFileName =~ "ngen.exe"
| project Timestamp, DeviceName, InitiatingProcessFolderPath, RemoteIP, RemotePort

5) New driver dropped into System32\drivers:

DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath has @"\System32\drivers\" and FileName endswith ".sys"
| where InitiatingProcessFolderPath has @"C:\ProgramData\"
| project Timestamp, DeviceName, FileName, SHA256, InitiatingProcessFileName

Additional hunt ideas

  • COM hijack: alert on HKU\...\CLSID\{...}\LocalServer32 writes whose data resolves into ProgramData or a user‑writable path.
  • Hash‑match the IOCs above in DeviceFileEvents / DeviceImageLoadEvents.
  • Flag ZIP/EXE downloads bearing Zone.Identifier that execute from ProgramData within a short window.

9. Recommendations

  • Email: don’t trust government/tax themes by topic alone — verify sender domain and DMARC; treat “download the attached/linked notice” tax lures as hostile by default. Free‑webmail senders claiming to be a government department are a red flag.
  • Block/monitor the IOCs above; alert on outbound :8888 to unrecognised hosts.
  • Harden Run‑key and COM CLSID writes; monitor driver installs from non‑standard parents.
  • Mark‑of‑the‑Web matters: keep SmartScreen/attachment‑MOTW enforcement on; investigate MOTW‑tagged files executing from ProgramData.
  • User awareness: India‑specific Income Tax / penalty phishing is an active theme — reinforce that the IT Department does not distribute “penalty notices” as downloadable executables.

10. References

  • urlscan.io scan — laiwnndye[.]love (verdict: Potentially Malicious; targets Indian Government)
  • MITRE ATT&CK — Enterprise v16

I performed this analysis by manually detonating the sample in my isolated sandbox environment, capturing network traffic with Wireshark, monitoring process/registry activity with Process Monitor and API Monitor, and enriching infrastructure indicators via urlscan.io and WHOIS. All indicators are defanged; re‑arm only in an isolated lab.