Threat actors leverage tax season to deploy tax-themed phishing campaigns

April 3, 2025, 7:05 p.m.

Description

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid detection. They lead to phishing pages delivered via RaccoonO365 platform, remote access trojans like Remcos, and other malware such as Latrodectus, BruteRatel C4, AHKBot, and GuLoader. The campaigns target various sectors including engineering, IT, consulting, and accounting firms. Threat actors use social engineering techniques to mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Microsoft provides detailed mitigation and protection guidance to help users and organizations defend against these tax-centric threats.

External References

https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
https://otx.alienvault.com/pulse/67eec31b26a9b5d94190be7d
Tags
malware
phishing
social engineering
remcos
credential theft
latrodectus
guloader
redirection
qr codes
remote access trojans
2025-04-03
tax season
ahkbot
bruteratel c4

Date

  • Created: April 3, 2025, 5:19 p.m.
  • Published: April 3, 2025, 5:19 p.m.
  • Modified: April 3, 2025, 7:05 p.m.

Attack Patterns

  • BruteRatel C4
  • Latrodectus
  • AHKBot
  • Remcos
  • GuLoader - S0561
  • Storm-0249

Additional Informations

  • Engineering
  • Information Technology
  • Consulting
  • Finance
  • United States of America