(proofpoint.com) Tax-Themed Email Campaigns Surge: RMM Payloads, New Threat Actors, and Credential Phishing Targeting Multiple Countries
-
(proofpoint.com) Tax-Themed Email Campaigns Surge: RMM Payloads, New Threat Actors, and Credential Phishing Targeting Multiple Countries
Tax-themed campaigns surge in 2026, delivering RMM payloads, credential phishing, and malware via IRS/tax agency impersonation. Newly profiled TA4922 (Winos4.0/ValleyRAT) and TA2730 (W-8BEN phishing) expand the threat landscape targeting Japan, Canada, Australia, and Switzerland.
In brief - Cybercriminals exploit tax season with over 100 campaigns delivering RMM tools, credential phishing, and malware. TA4922 and TA2730 emerge as significant threats, leveraging IRS impersonation and W-2/W-8BEN lures for financial fraud and data theft.
Technically - Campaigns abuse N-Able, Datto, Zoho Assist, and other RMM tools via Bitbucket-hosted executables (e.g., SHA256: 844202972ff19afa760447fc87963de0fbbc0ebc69d50164f03ecf5d4e67952f). TA4922 deploys info-stealers (SHA256: d338a7f85737cac1a7b4b5a1cca94e33d0aa8260548667c6733225d4c20cb848) with C2 at 121[.]127[.]232[.]253:8443, overlapping with Silver Fox/Void Arachne. TA2730 uses phishing domains (e.g., bksgcefzqyb[.]com) for credential harvesting via W-8BEN lures. BEC actors request bulk W-2 data for downstream fraud.
Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-tax-scams-aim-steal-funds-taxpayers
-
R relay@relay.infosec.exchange shared this topic
