Microsoft is warning of several fishing campaigns that are taking advantage of tax-related topics to deploy malware and steal credentials.
In a report shared with hacker news, Microsoft said, “These campaigns are particularly useful methods such as URL shortenners and QR codes are contained in malicious attachments and misuse legitimate services such as file-hosting services and business profile pages.”
One notable aspect of these campaigns is that they lead to the fishing pages that are distributed through a Fishing-e-Service (PHAAS) platform, an e-crime platform, which first emerged in early December 2024.
Remote access trojans (mice) such as remote rats, as well as other malware and post-exclusion framework such as Latrodectus, AHKBOT, Galadar and Brutel C4 (BRC 4) are also there.
On February 6, 2025, a campaign seen by Tech Giants, it is estimated that it has sent hundreds of emails targeting the United States before the tax filing season, which tried to distribute BRC4 and Latrodectus. The activity is attributed to Storm -0249, an early access broker who is first known for distributing bazaal, isidid, bumbled and imolex.
Attacks include the use of PDF attachment that consists of a link that redirects users, which is small via rebrandly via a URL, eventually taking them to a fake Docusign page with the option of looking or downloading the document.
“When users clicked the download button on the landing page, the result depends on whether their system and IP address were allowed to reach the next stage based on the rules set up by the actor,” Microsoft said.
If access is allowed, the user is sent a JavaScript file that later downloads the Microsoft Software Installer (MSI) for BRC4, which serves as a drain to deploy latrodectus. If the victim is not considered a valuable sufficient target, they are sent a gentle PDF document from chelagroupnyc.[.]com.
Microsoft also stated that it also discovered a second campaign between 12 and 28 February, 2025, where tax-themed fishing emails were sent to more than 2,300 organizations in the US, especially for engineering, IT and consultation sectors.
In this case, in the email, the message body had no material, but a PDF Attachment had a QR code, which pointed to a link associated with Racoono365 PHAAS, which mimics the Microsoft 365 login pages so that users mimic them to try to enter their credentials.
In the indication that these campaigns come in various forms, tax-themed fishing emails have also been marked as the promotion of other malware families such as Akbot and Galadar.
Ahkbot transition chains have been found to direct users for hosting a malicious Microsoft Excel file, which downloads and runs a MSI file to launch an Autohotki script, when opening and enabling the macros, which then runs a screenshotter also download To capture the screenshot from and exfiltrates a remote server.
The objective of the Guloader campaign is to cheat users to click on the URL inside a PDF email attachment, resulting in download of a zip file.
“The zip file contains various .LNK files that mimic tax documents. If launched by the user, the .LNK file uses POWERSHELL to download PDF and a .BAT file,” Microsoft said. ,
Microsoft has developed this after a few weeks after warning of another Storm -0249 campaign, in which users have been redirected in the advertisement of fake websites, which advertise Windows 11 Pro to distribute a update version of Latrochectus Loder Malware via Brutel Red -Temming Tools.
Microsoft said in a series of posts on X, “Threatening the actor used Facebook to run traffic on fake Windows 11 Pro download pages, as we had observed the Facebook reforler URL in many cases.”
“Latrochectus 1.9, the latest development of malware was first observed in February 2025, re -presented the prescribed work for firmness and added Command 23, which enabled the execution of Windows Command through ‘CMD.EXE /C.’.
This disclosure also follows a bounce in campaigns that use the QR code in fishing documents to hide malicious URLs as part of widespread attacks aimed at Europe and America, resulting in credential theft.
Palo Alto Network Unit 42 said in a report, “Analysis of URLs extracted from the QR code in these campaigns suggests that the attackers usually avoid incorporating URLs that directly point to the fishing domain.” “Instead, they often use URL redirect mechanisms or exploit open redirects on legitimate websites.”
These findings also come in view of many fishing and social engineering campaigns, which have been flagged in recent weeks –
- The uses of the browser-in-the-brusser (BITB) technology seem to serve the realistic browser pop-up, which tricks the players of the counter-system 2 with the possible target of reaching these accounts to the players of the Trick-Strike 2 trick-system 2 players to enter their steam credentials.
- The use of malware stealing information to kidnap Mailchimp accounts, allows danger actors to send email messages to bulk
- Use SVG files to bypass spam filters and redirect users to fake Microsoft Login Pages
- Use of reliable cooperation services like Adobe, Docusign, Dropbox, Canva, and Zoho to use safe email gates (segs) and to steal
- Use email watching music streaming services like Spotify and Apple Music with the target of harvesting and payment information
- The use of fake security warnings is related to suspicious activity on Windows and Apple Mac devices, which users on bogus websites to cheat users in providing their system credentials
- Dipsec, I4Tools, and YouDao dictionary leaves the GH0ST RAT using the fake websites distributing the trounted Windows installers for the desktop version
- Billing-themed fishing email to distribute a information stolen called Darkloud to target Spanish companies
- Use of fishing email implementing a Romanian bank to deploy an information stolen to Mascouger targeting organizations located in Romania
To reduce the risks arising from these attacks, it is necessary that organizations adopt phishing-resistant authentication methods for users, use browsers that can block malicious websites, and enable network safety to prevent applications or users from reaching malicious domains.
