Cybercriminals Exploit Tax Season With IRS-Themed Malware Campaigns

March 31, 2026 Faeem BLOGS 0

Tax season has always been a prime time for phishing, but 2026 has seen a surge in organized, large-scale campaigns. Cybercriminals are impersonating the IRS, national tax authorities, and HR departments to trick users into installing malware or handing over credentials.

Campaign Overview

  • Scope: Over 100 tax-themed campaigns recorded so far this year.
  • Targets: Primarily the U.S., but also Canada, Australia, Switzerland, and Japan.
  • Tactics: Spoofed emails about expired tax documents, IRS filing notices, W-2 requests, and W-8BEN filings.
  • Payloads: Malware, credential-stealing pages, and Remote Monitoring & Management (RMM) tools.

Why RMM Payloads Are Dangerous

Attackers increasingly abuse legitimate RMM software like N-able, Datto, RemotePC, Zoho Assist, and ScreenConnect. Because these tools are digitally signed and trusted by enterprise systems, they can bypass traditional detection.

Example: On Feb 5, 2026, an IRS-themed phishing email linked to a Bitbucket-hosted executable that silently installed N-able RMM, giving attackers remote access.

Key Threat Actors

  • TA4922:
    • East Asia-based, financially motivated.
    • Uses ValleyRAT malware and multi-stage social engineering.
    • Begins with tax authority impersonation, then escalates to finance leadership before delivering malware.
  • TA2730:
    • Credential phishing group tracked since 2025.
    • Impersonates investment firms (Swissquote, Questrade).
    • Directs victims to fake login pages to steal account credentials.

Defensive Recommendations

  • Allow-list RMM tools: Only permit approved remote access software.
  • Employee training: Teach staff to spot tax-season phishing tactics.
  • Verify messages: Confirm any tax or HR-related email through official channels.
  • Check details: Watch for mismatched sender addresses or overly formal language.
  • Report suspicious emails: Escalate to IT/security teams immediately.

Final Thought

Tax season phishing campaigns are evolving, blending legitimate-looking lures with trusted software abuse. With groups like TA4922 and TA2730 running organized operations, defenders must combine technical controls with employee awareness to stay ahead.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.