Meet Foresiet Nexus — Your smarter Threat Intel hub. See it in action — book a free demo today!

Weekly newsletter

No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Read about our privacy policy.

Latest from the blog

Fake Tax Notice Phishing: How the Cross-Border Scam Network Operates

Posted on: 02 July 2026 | Author: Foresiet

Mapping a multi-country phishing network targeting Indian taxpayers

Public corporate blog brief | Prepared by Foresiet Threat Intelligence Team | 1 July 2026

Executive takeaway

Foresiet identified adreses[.]vip as part of a localized phishing infrastructure cluster using tax, invoice, payroll, and document-download themes. The strongest evidence supports malicious phishing infrastructure and campaign-level clustering; named-actor elevation remains evidence-weighted and under active validation.

Executive Summary

  • The primary lure impersonated an income-tax/document workflow and directed the recipient to hxxps://adreses[.]vip/.
  • The site functioned as a document-download phishing gate, with current direct access showing browser-verification and filtering behavior.
  • Infrastructure pivots tied the activity to 47.242.39[.]192 on AS45102, Alibaba Cloud Hong Kong, and a recurring Gname/share-dns setup.
  • Same-IP passive monitoring surfaced localized India, Germany, Malaysia, and Japan lure themes across related domains.
  • No direct money-collection page, crypto wallet, recovered payload, or valid favicon hash was observed in the current evidence set.

Controlled-Run Network Geography

Controlled-run network geography: campaign-relevant Hong Kong infrastructure shown alongside browser-service traffic context.
Controlled-run network geography: campaign-relevant Hong Kong infrastructure shown alongside browser-service traffic context.

What Was Observed

The observed email used a tax-reference style subject and a document-download call to action. The sender display name presented as an income-tax authority, while the visible sending address used a consumer mail account. That mismatch, combined with the tax/document framing and external landing URL, established the initial phishing triage path.

The landing infrastructure presented invoice/document-download behavior in public observations. During later direct access, the site returned a browser verification page titled ‘verifying…’ in Chinese and displayed Portuguese copy asking the visitor to wait while browser authenticity was checked. This supports the assessment that the site uses filtering or bot-screening before content is exposed.
A significant portion of these stolen credentials ends up being sold or traded on illicit forums, highlighting the critical need for continuous Dark web Monitoring  to flag compromised citizen or corporate data before it can be used for secondary financial fraud.

Visual Evidence

Email evidence: tax-reference subject, income-tax display name, and consumer-mail sender.

Email evidence: tax-reference subject, income-tax display name, and consumer-mail sender.

Landing page: invoice/document-download interface with PDF/OFD-style controls.

Direct-access evidence: access-denied response supporting filtering or environment-aware behavior.

Evidence at a Glance

Evidence area

Finding

Confidence

Primary domain

adreses[.]vip used as the embedded landing URL.

High

Hosting

47.242.39[.]192 on AS45102, Alibaba Cloud Hong Kong.

Medium-High

Landing behavior

Invoice/document-download page observed; later browser-verification gate observed.

High

RDAP clustering

Gname registrar and share-dns patterns across selected candidate siblings.

High

Favicon pivot

No valid favicon hash recovered; favicon-hash campaign pivot not possible.

Confirmed

Actor mapping

TA4922-style lure overlap and plausible China-nexus indicators; actor-level elevation requires additional payload/C2/header evidence.

Moderate

Infrastructure Pivot

Infrastructure evidence chain: one email URL expands into landing behavior, hosting, clustering, and attribution posture.

The infrastructure picture is stronger than the lure alone. The primary domain resolved to 47.242.39[.]192, an Alibaba Cloud Hong Kong host in AS45102. The same-IP campaign cluster showed repeated business and tax-document themes, including India income-tax pages, Germany BZSt invoice themes, Malaysia tax notices, Japan business-document portals, and download/ZIP endpoints.

RDAP cross-validation added a second infrastructure layer. dusdt[.]vip, coinok[.]vip, and aappp[.]vip were registered through Gname.com Pte. Ltd. within a July-August 2025 window and used the share-dns nameserver family. aethercode[.]vip shared the registrar and timing pattern, but was on expired Gname DNS at capture time. aappp[.]vip shared the exact a7/b7-share-dns nameserver pair with adreses[.]vip and served the adreses[.]vip TLS certificate, making it the strongest infrastructure-only candidate from this pivot.

Certificate-transparency review for adreses[.]vip returned only adreses[.]vip and http://www.dpd.adreses[.]vip entries. No shared SAN certificate linked the sibling domains. No valid favicon was recoverable from adreses[.]vip, and no Shodan favicon-hash campaign link was identified.

Representative Infrastructure Indicators

Indicator

Role

Notes

adreses[.]vip

Primary domain

Email landing URL and current campaign IOC.

47.242.39[.]192

Infrastructure

Alibaba Cloud Hong Kong / AS45102; same-IP cluster pivot.

dusdt[.]vip

Related domain

Same-IP passive telemetry; India tax and invoice themes.

coinok[.]vip

Related domain

Same-IP invoice-themed lure.

aappp[.]vip

Candidate sibling

Same registrar and exact a7/b7-share-dns pair; infrastructure-only candidate.

aethercode[.]vip

Related domain

Same registrar/timing; India Income Tax Scrutiny title observed historically.

Campaign-Level Clustering

The same-IP cluster showed a repeatable pattern: localized document themes changed by country and business function while the underlying infrastructure stayed consistent. This is the main reason the activity is stronger than a single-domain phishing case.

Campaign timeline: observed same-IP lure activity across tax, invoice, B2B document, payroll, and ZIP/download themes.

Same-IP lure theme distribution: 63 public passive-scan observations filtered by page title and URL pattern.

Same-IP lure theme distribution: 63 public passive-scan observations filtered by page title and URL pattern.

Attribution Posture

The current evidence supports a malicious phishing infrastructure cluster with TA4922-style tradecraft overlap and plausible China-nexus indicators. The campaign uses localized tax, invoice, payroll, and document-lure themes, and the infrastructure choices align with China-adjacent hosting and registrar patterns observed across public reporting on similar activity.

The correct public posture is evidence-weighted: localized tax/invoice phishing cluster with TA4922-style tradecraft overlap and plausible China-nexus indicators. Stronger actor-level confidence would follow from payload/C2 overlap, raw email headers, certificate reuse across known actor infrastructure, or internal telemetry correlation.

Evidence Boundaries

What this analysis does not claim

The available evidence does not show direct money collection, a crypto wallet, a payment page, a recovered malware payload, or a favicon-hash campaign link. These boundaries are important because the report is intended for public use and should remain defensible under external review.

Observed Campaign IOCs

The following indicators were observed or derived during this campaign analysis. Use confidence and notes to prioritize blocking, monitoring, and enrichment; related-domain entries should be handled as infrastructure pivots unless local telemetry confirms exposure.

Type

Indicator

Confidence

Handling note

Domain

adreses[.]vip

High

Primary landing domain observed in the email lure.

URL

hxxps://adreses[.]vip/

High

Embedded document-download landing URL.

IPv4

47.242.39[.]192

Medium-High

Infrastructure indicator; same-IP campaign-cluster pivot.

Email sender

ContiWalega57@hotmail[.]com

Medium

Visible sender; validate with raw headers if available.

Subject/reference

TAX/PEN/2026-142

High

Visible tax-reference lure string.

URL-file identifier

f7978743d8f8483a8eaa84e7b84b0ad9
cb845d8037f1670a377cc529d5910ae5

High

Identifier for submitted URL shortcut sample; not a recovered malware binary.

Related domain

dusdt[.]vip

Medium

Same-IP passive telemetry; India tax and invoice titles.

Related domain

aethercode[.]vip

Medium

Same-IP passive telemetry; India Income Tax Scrutiny title.

Related domain

aappp[.]vip

Medium-High

Same registrar and exact a7/b7-share-dns pair; infrastructure-only candidate.

Related domain

xxgzbts[.]cn

Medium

Same-IP passive telemetry; India/Malaysia tax titles.

Related domain

yygzbts[.]cn

Medium

Same-IP passive telemetry; India Income Tax Scrutiny title.

Related domain

coinok[.]vip

Medium

Same-IP invoice-themed lure.

Related domain

nwphotoblog[.]com

Medium

Same-IP German BZSt tax/invoice lure.

Related domain

blueoceancode[.]com

Medium

Same-IP Malaysia/Japan localized document lures.

Related domain

prmgv[.]vip

Low-Medium

Same-IP ZIP endpoint; needs payload validation.

Related domain

jobfreeeco[.]it[.]com

Low-Medium

Same-IP document ZIP endpoint; needs payload validation.

Enterprise Response Guidance

  • Block the primary URL/domain and monitor for additional same-IP domains in web proxy, DNS, and mail telemetry.
  • Search mail telemetry for TAX/PEN/2026-142, Income Tax, Download Documents, Invoice Details, and the sender ContiWalega57@hotmail[.]com.
  • Hunt endpoint and network telemetry for connections to adreses[.]vip, related domains, and 47.242.39[.]192.
  • If payloads are recovered, detonate them in a controlled environment with packet capture enabled and extract hashes, file type, config, C2, and execution chain.
  • Preserve original email source to validate SPF, DKIM, DMARC, Received path, Message-ID, Return-Path, Reply-To, and URL rewriting behavior.
  • Report confirmed phishing infrastructure to the mail provider, hosting provider, registrar, and relevant national CERT/tax-authority channels.
    Report Phishing 

Sources

Conclusion

Foresiet assesses this activity as an ongoing localized phishing infrastructure cluster. The campaign uses tax and invoice themes to move recipients from email into a document-download style landing page, while infrastructure pivots show repeated localization across business and tax contexts.

For security teams, the most useful takeaway is the infrastructure pattern: one email URL expanded into a broader cluster through DNS, RDAP, TLS, same-IP observations, and lure-theme pivots. Foresiet Threat Intelligence Team continues to monitor this activity closely, and additional updates will be issued as new infrastructure, payload, command-and-control, or email-header evidence emerges.

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

Latest

From the blog

The latest industry news, interviews, technologies, and resources.