Tax Document Phishing Campaign Leveraging Password-Protected Archive

### Executive Summary On 10 April 2026, employees in finance and legal received password-protected ZIP attachments purportedly containing tax documents; opening the archive launched a Tax_Adjustment_Notice.scr malware which queried http://203.0.113.41/update/check and dropped cachehost.dll to C:\ProgramData\TaxReview (SHA256: 3f1ca27fc0e4bb713db5e0b5df7f6706e07f53db715f96c7e73c1ee801ca3c42). The campaign leveraged tax-themed social engineering and password-protected archives to evade email scanning and deliver a persistent binary, producing actionable IOCs for detection and response.