ValleyRAT Behind a Fake "Income Tax" Notice: Anatomy of a Phishing Campaign
TL;DR — A phishing campaign is impersonating the Government of India / Income Tax Department (“कर दंड सूचना – भारत सरकार” / Tax Penalty Notice) to deliver ValleyRAT. Victims receive emails from free webmail providers (Proton Mail, Yahoo, etc.), click through to a freshly‑registered lure domain, and download Tax-Number70863.zip. The ZIP contains an ISO image (Tax-Number70863.iso) — a classic Mark‑of‑the‑Web bypass — which, when mounted, presents a single executable disguised with a fake Google Chrome icon to mislead the user into running it. The payload establishes persistence via a Run key and COM hijacking, injects into ngen.exe, drops a kernel driver, steals browser credentials, and beacons to a raw‑IP C2 on 103.59.103[.]30:8888. ...