Microsoft has warned of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal qualifications.
“These campaigns avoid detection by using redirect methods, particularly URL shorteners and QR codes, and abuse malicious attachments and legal services such as file hosting services and business profile pages,” Microsoft said in a report shared with Hacker News.
A notable aspect of these campaigns is that they lead to a phishing page called the Phishing (PhaAS) platform codenamed RACCOONO365, the electronic crime platform that was first revealed in early December 2024.
It also offers remote access trojans (rats), such as Remcos Rat, and other malware and post-explosion frameworks, such as Latrodectus, Ahkbot, Guloader, and Bruteratel C4 (BRC4).
One such campaign, discovered by the tech giant on February 6, 2025, is estimated to have sent hundreds of emails targeting the US ahead of the tax season that sought to offer BRC4 and Latrodectus. This activity stems from Storm-0249, the first access broker previously known for distributing Bazarodar, Icedo, Bumblebee and Emotet.
The attack involves using PDF attachments that contain links that redirect users to a shortened URL in Brandle.
“When a user clicked the download button on a landing page, the results were dependent on whether the system and IP addresses could access the next stage, based on filtering rules set by the threat actor,” Microsoft said.
If access is permitted, the user will send a JavaScript file and then download the Microsoft Software Installer (MSI) for BRC4, which will act as a conduit for deploying Latrodectus. If the victim is not considered a valuable target enough, they will be sent a benign PDF document from RoyaleGroupNyc[.]com.
Microsoft detected a second campaign between February 12th and 28th, 2025, saying that tax-themed phishing emails have been sent to more than 2,300 US organizations, specifically targeting the engineering, IT and consulting sectors.
In this case, the email had no content in the body of the message, but it had a PDF attachment that contained a QR code that simulated the Microsoft 365 login page to point to a QR code that was entering the credentials.
Indications that these campaigns will come in many different ways, tax-themed phishing emails have also been flagged as propagation in other malware families such as Ahkbot and Guloader.
The AHKBOT infection chain is known to point malicious Microsoft Excel files to users that can download and run MSI files when you open and enable macros, and download and run MSI files to launch Autohotkey scripts.
The Guloader campaign aims to allow users to download a ZIP file by clicking on a URL that exists within a PDF email attachment.
“The ZIP file contained various .lnk files that were configured to mimic tax documents. When the user launches, the .lnk file uses PowerShell to download PDF and .bat files,” Microsoft said. “The .bat file downloaded the Guloader executable and installed REMCOS.”
This development comes just weeks after Microsoft warns another Storm-0249 campaign, and a few weeks after users warn them to redirect a fake website advertise Windows 11 Pro to provide an updated version of the Latrodectus Loader malware via the Bruteratel Red-Teaming tool.
“Threat actors may have used Facebook to drive traffic to Facebook 11 Pro download pages, because they observed the Facebook referrer URL in multiple cases,” Microsoft said in a series of X posts.
“Malware’s latest evolution, Latrodectus 1.9, is the latest evolution of malware, first observed in February 2025, reintroducing scheduled tasks for continuance, adding command 23, allowing Windows commands to be executed via “cmd.exe /c.” ”
The disclosure follows a surge in campaigns that use QR codes in phishing documents to disguise malicious URLs as part of a widespread attack targeting Europe and the US, leading to theft of their qualifications.
“An analysis of URLs extracted from QR codes in these campaigns shows that attackers are usually avoiding including URLs that point directly to phishing domains,” Palo Alto Networks Unit 42 said in the report. “Instead, they often use URL redirect mechanisms or utilize open redirects on legitimate websites.”
These findings have come in the wake of several phishing and social engineering campaigns that have been flagged in recent weeks –
Using Browser in the Browser (BITB) techniques, we aim to hijack StealChimp accounts with the goal of tricking one counter striker 2 player to resell access to these accounts, with the goal of bringing in steam to allow threat actors to use SVIGT, with the goal of hijacking StealChimp accounts. Pages use trusted collaboration services such as Adobe, Docusign, Dropbox, Canva, Zoho, and more. Distribution of Trojanized Windows Installers for fake websites that distribute Trojanized Windows Installers for Deepseek, i4tools, Youdao Dictionary Desktop Edition.
To mitigate the risks posed by these attacks, it is essential that organizations adopt phishing-resistant authentication methods for users, use browsers that can block malicious websites, and enable network protection to prevent applications or users from accessing malicious domains.
Source link
