https://harshupadhyay.com/tags/dfir/ Recent content in DFIR on Harsh Upadhyay Hugo en-us Wed, 24 Jun 2026 00:00:00 +0000 https://harshupadhyay.com/posts/valleyrat-fake-tax-notice-india/ Wed, 24 Jun 2026 00:00:00 +0000 https://harshupadhyay.com/posts/valleyrat-fake-tax-notice-india/ <blockquote> <p><strong>TL;DR</strong> — A phishing campaign is impersonating the <strong>Government of India / Income Tax Department</strong> (&ldquo;कर दंड सूचना – भारत सरकार&rdquo; / <em>Tax Penalty Notice</em>) to deliver <strong>ValleyRAT</strong>. Victims receive emails from free webmail providers (Proton Mail, Yahoo, etc.), click through to a freshly‑registered lure domain, and download <code>Tax-Number70863.zip</code>. The ZIP contains an <strong>ISO image</strong> (<code>Tax-Number70863.iso</code>) — a classic <strong>Mark‑of‑the‑Web bypass</strong> — which, when mounted, presents a single executable disguised with a <strong>fake Google Chrome icon</strong> to mislead the user into running it. The payload establishes persistence via a Run key <strong>and</strong> COM hijacking, injects into <code>ngen.exe</code>, drops a kernel driver, steals browser credentials, and beacons to a raw‑IP C2 on <code>103.59.103[.]30:8888</code>.</p>