Security Brief: Threat Actors Take Taxes Into Account

Security Brief: Threat Actors Take Taxes Into Account
Proofpoint researchers have detected an increase in phishing campaigns and malicious domains impersonating tax agencies and financial organizations, particularly during tax season. These campaigns target users in the UK, US, Switzerland, and Australia, utilizing various deceptive tactics to harvest credentials and deliver malware. Affected: HM Revenue & Customs (HMRC), Intuit, myGov, Swiss Federal Tax Administration

Keypoints :

  • Increase in tax-themed phishing campaigns observed from December to April.
  • Multiple campaigns impersonating HMRC targeting UK users.
  • Phishing emails contained URLs leading to credential harvesting sites.
  • Hundreds of malicious tax-themed domains identified in US campaigns.
  • Campaigns impersonating Intuit with generic email sender details.
  • Fraudulent emails targeting Swiss organizations with payment requests.
  • Australian government-themed phishing campaigns targeting myGov users.
  • Malware delivery through tax-themed emails identified, including Rhadamanthys and zgRAT.
  • Organizations should educate users about phishing tactics related to tax themes.

MITRE Techniques :

  • Phishing (T1566) – Campaigns impersonating HMRC and Intuit to harvest user credentials.
  • Credential Dumping (T1003) – Use of credential harvesting websites to capture usernames and passwords.
  • Command and Control (T1071) – Rhadamanthys malware using PowerShell for remote script execution.
  • Malware Delivery (T1203) – Delivery of malware payloads through malicious email links.
  • Exploitation of Remote Services (T1210) – Exploiting legitimate services for credential theft.

Indicator of Compromise :

  • [url] hxxps://t[.]co/DL9vqURq7G
  • [url] hxxps://clearlivate[.]com/xxx/rest[.]html
  • [url] hxxps://pub-cbdc9a06673740a6aae9a5c61db6da30[.]r2[.]dev/indexqu[.]html
  • [url] hxxps://fotolap[.]com/[.]wp-admin/cgi-/intuit/inuit4//
  • [url] hxxps://revolut[.]me/swisstaxadm
  • Check the article for all found IoCs.


Full Research: https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-take-taxes-account