{
	"id": "9a8bc098-72ac-4765-8e95-5fef61960f74",
	"created_at": "2026-04-06T00:16:30.768316Z",
	"updated_at": "2026-04-10T03:25:21.792869Z",
	"deleted_at": null,
	"sha1_hash": "1dc3456216f353409c0c7b0e134762d0cef74e47",
	"title": "Security Brief: Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1387377,
	"plain_text": "Security Brief: Threat Actors Pair Tax-Themed Lures With\r\nCOVID-19, Healthcare Themes | Proofpoint US\r\nBy April 15, 2021 Selena Larson\r\nPublished: 2021-04-14 · Archived: 2026-04-05 20:20:34 UTC\r\nOn 30 March 2021, the United States Internal Revenue Service (IRS) issued a security alert detailing an ongoing\r\nemail-based IRS impersonation campaign primarily targeting educational institutions. Impacted people included\r\nuniversity and college students and staffers using “.edu” email addresses.\r\nEducational institutions are not the only organizations that financially motivated threat actors have set their sights\r\non using tax-themed lures. Proofpoint observed similar threats impacting dozens of verticals from manufacturing\r\nto healthcare to energy. But this year is a bit different. Threat actors take advantage of every tax season by\r\nmounting tax-themed campaigns that aim to steal money and sensitive information. What makes 2021 unique are\r\nthe continuing and unprecedented pandemic, healthcare, and financial crises that these threat actors are combining\r\nwith typical tax lures in the ongoing campaigns Proofpoint observed.\r\nThese findings demonstrate threat actors are agile and flexible and take current events into account in their\r\ncampaign development to maximize their advantage and encourage victims to fall for their tactics.\r\nProofpoint observed over 30 tax-themed malicious email campaigns totaling over 800,000 email messages so far\r\nin 2021. These include attempts to compromise personal email accounts or steal sensitive personal data for likely\r\nfinancial gain. Proofpoint also observed multiple campaigns aligned with business email compromise activities.\r\nSuch attacks can be used to facilitate payroll fraud, costing victim organizations millions of dollars. \r\nCampaign Trends\r\nSo far in 2021, Proofpoint identified over 30 discrete campaigns targeting thousands of people from multiple\r\nthreat actors that leveraged malicious email lures associated with taxes, tax and refund support, and government\r\nrevenue entities. At least four threat actor groups tracked by Proofpoint have leveraged tax-themed malicious\r\nemail campaigns.\r\nCredential theft phishing attempts – which can be used to target individuals or leveraged for email account\r\ntakeovers – accounted for 40% of the tax-themed email campaigns, followed by remote access trojan (RAT)\r\ncampaigns at 17%. However, despite RATs featuring in fewer campaigns, they were far more popular in total\r\nmessage volume. Half of identified tax-themed and related messages containing malware were used to distribute\r\nthe Remcos RAT, a commodity malware with extensive data theft and surveillance capabilities. Other broad tax-themed malware distribution campaigns included Dridex, TrickBot, and ZLoader.\r\nOver the course of 2020, threat actors began increasingly leveraging Excel 4.0 (XL4) macros to distribute\r\nmalware, and this trend has continued in 2021. Proofpoint observed a 500% increase in tax-themed email threat\r\ncampaigns delivering weaponized XL4 Macros in the first three months of 2021. Proofpoint assesses this is due to\r\nhttps://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes\r\nPage 1 of 7\n\nlimited detection coverage in modern security systems. (Although Microsoft still supports XL4 macros, the\r\ncompany suggests migrating them to the latest version of Microsoft Visual Basic Application.)\r\nCampaign Samples\r\nTrickBot\r\nOne of the most prolific IRS-themed malware campaigns leveraged IRS tax credit distribution for employee\r\nretention lures benefiting employers impacted by COVID-19. This campaign identified in March 2021 contained\r\nover 18,000 messages to over 2,000 target entities. It distributed the TrickBot banking trojan. TrickBot is designed\r\nto steal banking information and acts as an initial payload for additional malware, gaining notoriety in 2018 for\r\ndistributing Ryuk ransomware which reportedly accounted for a third of ransomware distributed by many actors\r\nacross the threat landscape in 2020.\r\nFigure 1: IRS Themed Lure offering an Employ Retention Credit\r\nUnlike typically observed activity, this TrickBot campaign distributed malicious Excel files leveraging the XLSB\r\nfiletype, a lightweight file format that can only be opened in Excel. Proofpoint assesses with moderate confidence\r\nthe threat actor leveraged this document format as it is less likely to be detected by anti-virus systems. Researchers\r\npreviously observed the multipurpose trojan QBot distributed via XLSB files in October 2020.\r\nDridex\r\nhttps://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes\r\nPage 2 of 7\n\nThe threat actor Proofpoint tracks as TA575 distributed emails purporting to be from IRS representatives\r\nassociated with the American Rescue Plan. The emails contained links to download Microsoft Excel documents\r\ncontaining macros that, when enabled, downloaded the Dridex malware designed to steal banking and other\r\npersonal information.\r\nAlso known as the COVID-19 Stimulus Package, the American Rescue Plan, was signed into law on 11 March\r\n2021. The $1.9 trillion economic stimulus package aimed to provide financial relief to people and businesses in\r\nthe U.S.\r\nFigure 2: IRS Rescue Plan Lure\r\nThe TA575 campaign, which began in early March, included almost 16,000 messages and impacted over 1,800\r\norganizations across dozens of verticals.\r\nConsumer Credential Phishing\r\nTax-themed phishing attacks also occur globally, and one campaign Proofpoint identified posed as the United\r\nKingdom’s tax and customs authority, HM Revenue and Customs (HMRC). As part of the country’s COVID-19\r\nhttps://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes\r\nPage 3 of 7\n\nresponse, HMRC introduced multiple Self-Employment Income Support Schemes allowing people financially\r\nimpacted by the pandemic to claim financial aid.\r\nThe malicious email campaign that began in mid-February 2021 distributed messages with links that led to a fake\r\nSelf-Employment HMRC tax themed authentication page designed to harvest user credentials.\r\nFigure 3: Her Majesty's Revenue and Customs Tax Refund Notification Lure\r\nTA574\r\nTypical IRS-themed lures remain popular. The cybercrime actor TA574 sent almost 40,000 messages in one\r\ncampaign using lures posing as the IRS and financial representatives. TA574 is an actor operating at a large scale\r\nthat indiscriminately targets multiple industries and attempts to deliver and install malware like banking trojans.\r\nThe IRS-themed emails contained malicious Microsoft Excel documents that requested victims enable macros to\r\nview content, thereby downloading and executing the ZLoader malware on a victim machine. ZLoader is a typical\r\nbanking malware that steals credentials and other private information from users of targeted financial institutions.\r\nhttps://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes\r\nPage 4 of 7\n\nFigure 4: Internal Revenue Service Fake Case\r\nNew Client Tax Lures\r\nOne small campaign identified in March 2021 leverages subjects purporting to be requests from new clients or tax\r\nfiling assistance. The emails begin with a benign request for tax preparation assistance from \"John Stevens\" and\r\nhis wife. The emails target financial and accounting organizations in North America. If the recipient replies, they\r\nthen receive a follow up email with a URL linking to a document that uses macros to drop a downloader that pulls\r\nin NetWire RAT. NetWire is typically used by criminal threat actors targeting a wide range of organizations\r\nincluding financial services, businesses, medical companies, and educational institutions.\r\nhttps://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes\r\nPage 5 of 7\n\nFigure 5: Phishing themes matching previous tax-themes campaigns distributing malware.\r\nProofpoint researchers observed similar campaigns since 2018. Proofpoint assesses with high confidence the same\r\nthreat actor is responsible for these campaigns. This actor targets accounting, financial, and related industries\r\ntypically around tax season.\r\nConclusion\r\nTax season is a popular time for threat actors to conduct email-based attack campaigns designed to steal sensitive\r\ninformation for financial gain. In 2021, threat actors are often combining current events such as COVID-19 or\r\nhealthcare themes alongside typical tax lures to further entice victims.\r\nTo reduce the risk of successful exploitation, Proofpoint recommends the following:\r\nTrain users to spot and report malicious email. Regular training and simulated attacks can stop many\r\nattacks and help identify people who are especially vulnerable. The best simulations mimic real-world\r\nhttps://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes\r\nPage 6 of 7\n\nattack techniques. Look for solutions that tie into real-world attack trends and the latest threat intelligence.\r\nAt the same time, assume that users will eventually click some threats. Attackers will always find new\r\nways to exploit human nature. Find a solution that spots and blocks inbound email threats targeting\r\nemployees before they reach the inbox. Invest in a solution can manage the entire spectrum of email\r\nthreats, not just malware-based threats. Some threats—including business email compromise (BEC) and\r\nother forms of email fraud—can be hard to detect with conventional security tools. Your solution should\r\nanalyze both external and internal email—attackers may use compromised accounts to trick users within\r\nthe same organization. Web isolation can be a critical safeguard for unknows and risky URLs.\r\nManage access to sensitive data and insider threats. A cloud access security broker can help secure\r\ncloud accounts and help you grant the right levels of access to users and third-party add-on apps based on\r\nthe risk factors that matter to you. Insider risk management platforms can help protect against insider\r\nthreats, including users compromised by external attacks.\r\nPartner with a threat intelligence vendor. Focused, targeted attacks call for advanced threat intelligence.\r\nLeverage a solution that combines static and dynamic techniques at scale to detect new attack tools, tactics,\r\nand targets—and then learns from them.\r\nSource: https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes\r\nhttps://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes"
	],
	"report_names": [
		"threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes"
	],
	"threat_actors": [
		{
			"id": "7583fbd4-2bc9-458d-81da-50b27b84e136",
			"created_at": "2023-02-15T02:01:49.565258Z",
			"updated_at": "2026-04-10T02:00:03.349283Z",
			"deleted_at": null,
			"main_name": "TA575",
			"aliases": [],
			"source_name": "MISPGALAXY:TA575",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434590,
	"ts_updated_at": 1775791521,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1dc3456216f353409c0c7b0e134762d0cef74e47.pdf",
		"text": "https://archive.orkl.eu/1dc3456216f353409c0c7b0e134762d0cef74e47.txt",
		"img": "https://archive.orkl.eu/1dc3456216f353409c0c7b0e134762d0cef74e47.jpg"
	}
}