Attackers are impersonating government tax agencies to deliver a multi-stage malware payload that runs entirely in memory, leaving almost no trace for standard security tools to detect.

 

What happened

Researchers have identified a phishing campaign using fake tax compliance notifications to deliver advanced malware that operates entirely in the device's memory rather than saving any files onto the hard drive, making it much harder for conventional antivirus and endpoint security tools to detect. According to Cyberpress, the campaign begins with urgency-driven emails impersonating government tax agencies, warning recipients of financial penalties and instructing them to download an urgent compliance document. The emails bypass standard email security filters by using legitimate third-party email delivery services and spoofed sender identities, giving them a clean reputation score. Clicking the provided link takes the victim to a convincing fake government tax portal featuring official logos and bilingual text. From there, the victim is instructed to download what appears to be a compliance document, a malicious ZIP archive containing three files engineered to work together across separate attack stages.

 

Going deeper

The attack is built in three separate stages, each handled by a different file, specifically so that no single security scan can catch the full picture at once. The first file acts as a doorway, using a Windows loading trick called DLL Search Order Hijacking to swap in malicious code where a legitimate system file would normally run. Think of it like replacing a trusted component in a machine with a counterfeit one before anyone checks the parts. From there, the malware decrypts itself and loads directly into the device's active memory, never saving anything to the hard drive. Since most antivirus tools work by scanning files on disk, they find nothing to flag. The malware also constantly changes how it moves through the system, making it harder for tools that monitor behavior rather than files to recognize what is happening. Once it is running, it opens a communication channel back to the attacker using the same web technology that powers live chat and real-time dashboards, so the traffic looks like ordinary internet activity and passes through the network filters organizations use to monitor outbound connections without raising any alerts.

 

What was said

Researchers stated in their analysis cited by Cyberpress that the campaign's modular design "separates the attack into distinct stages, making it much harder for standard antivirus software to detect the threat," and that the malware's use of WebSocket communication "allows its malicious traffic to blend seamlessly with everyday web browsing," including through enterprise network restrictions. Researchers noted the attackers rely on urgency-driven messaging and government impersonation to manipulate targets into acting quickly, a combination that reduces the scrutiny recipients apply before downloading and running the attached file.

 

In the know

In-memory malware execution, sometimes called fileless malware, has been a documented escalation in attack sophistication for several years. According to BleepingComputer, fileless attacks now account for a growing share of all malware incidents because they sidestep the file-scanning layer that most endpoint security products were built around. The tax-themed lure in this campaign follows a pattern of attackers selecting high-authority impersonation targets, such as government agencies, regulators, and compliance bodies, precisely because the combination of authority and urgency suppresses the recipient's instinct to verify before acting.

 

The big picture

Healthcare organizations receive and process high volumes of regulatory and compliance communications from the Centers for Medicare and Medicaid Services (CMS), the Office for Civil Rights (OCR), state health departments, and billing compliance bodies that mirror the structure of this campaign's lure. A fake tax penalty notice arriving in a billing administrator's inbox feels indistinguishable from a legitimate OCR audit notification or a Medicare compliance deadline. The authority signal and urgency prompt are identical. For healthcare IT teams whose endpoint security relies primarily on antivirus scanning and signature detection, in-memory malware that never touches the disk defeats that layer entirely. According to Paubox's 2026 Healthcare Email Security Report, 53% of breached healthcare organizations in 2025 used Microsoft 365, and only 5% of known phishing attacks are reported by employees to security teams, meaning campaigns like this one can run through their full chain without internal detection at any point.

 

FAQs

What is fileless or in-memory malware, and why is it harder to detect?

Fileless malware loads and executes entirely within the computer's memory without writing any files to the hard drive. Standard antivirus tools scan files on disk for known malicious signatures. With no file to scan, those tools find nothing to flag, leaving behavioral analysis and memory scanning as the primary detection option, a capability not all endpoint security configurations include.

 

What is DLL Search Order Hijacking, and how does it work?

When Windows loads an application, it searches for required library files in a specific order of locations. DLL Search Order Hijacking places a malicious library file in a location that Windows searches before the legitimate system folder, causing Windows to load the attacker's code instead of the safe system file using the operating system's own loading mechanism to execute malware without triggering obvious alerts.

 

Why does communicating through WebSockets over standard web ports help malware avoid detection?

Network security tools often monitor traffic on known malicious ports or known malicious IP addresses. WebSocket traffic over standard web ports looks identical to normal web browsing activity. Corporate proxy servers that inspect traffic based on port and protocol will allow it through, and the malware's command-and-control communications blend into the baseline of legitimate web traffic generated by users throughout the day.

 

What endpoint security capabilities detect fileless malware when signature scanning cannot?

Memory scanning that inspects the contents of running processes, behavioral analysis that flags anomalous process activity such as unexpected DLL loads or unusual outbound connections, and application allowlisting that prevents unauthorized executables from running all provide detection coverage that does not depend on finding a malicious file on disk.

 

How should healthcare organizations handle emails containing government compliance or tax notices?

Any email directing staff to download a document from an external link, even one that appears to come from a government agency, should be verified through the agency's official website using a manually typed URL before any file is downloaded or executed. Legitimate government compliance notices do not require immediate action through an emailed link, and compliance teams should have a clear escalation process for staff who receive unexpected regulatory notifications.