{
	"id": "f4191bee-3901-497c-acef-c1f84f5ea1aa",
	"created_at": "2026-04-06T00:13:24.990241Z",
	"updated_at": "2026-04-10T03:22:13.748888Z",
	"deleted_at": null,
	"sha1_hash": "bd4aab518e89d4e01e5d3523aaa71fecf62234c5",
	"title": "Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 834289,
	"plain_text": "Cybereason Exposes Campaign Targeting US Taxpayers with NetWire\r\nand Remcos Malware\r\nBy Daniel Frank\r\nArchived: 2026-04-05 23:51:02 UTC\r\nOver the past year, the Cybereason Nocturnus Team has observed various trends among cyber criminals and nation-state\r\ngroups leveraging various global events such as COVID-19 and other topical themes and trending issues as phishing content\r\nto lure their victims into installing their malware of choice.\r\nAs the tax season is already here, Cybereason detected a new campaign targeting US taxpayers with documents that purport\r\nto contain tax-related content, ultimately delivering NetWire and Remcos - two powerful and popular RATs (remote access\r\ntrojans) which can allow attackers to take control of the victims’ machines and steal sensitive information.\r\nKey Points\r\nLeveraging US Tax Season to lure victims: Each year, by April 15th, all US citizens are expected to deliver their\r\ntax returns. Cybereason detected a phishing campaign targeting US taxpayers.\r\nDelivering two types of commodity malware: Two infamous remote access tools (RATs) are being used in this\r\ncampaign, NetWire and Remcos, each manifesting as binaries delivered via malicious documents.\r\nEvading heuristic and AV detection mechanisms: The malicious documents that infect the user are roughly 7MB\r\nin size, which allows them to evade traditional AV mechanisms and heuristic detection.\r\nAbuse of legitimate cloud services: The infection chain uses cloud services such as “imgur” to store the Netwire\r\nand Remcos payloads, hidden in image files\r\nSteganography: Payloads are concealed and downloaded within image files, combined with the fact they are hosted\r\non public cloud services makes them even harder to detect.\r\nExploiting legitimate OpenVPN clients: As a part of the infection process, a legitimate OpenVPN client is\r\ndownloaded and executed then sideloads a malicious DLL that drops NetWire/Remcos.\r\nBackground\r\nThe campaign bears resemblance to another campaign observed in April of 2020 which also delivered the NetWire RAT.\r\nBoth NetWire and Remcos are commercial RATs that are available for purchase online for rather affordable prices of as little\r\nas US$10 per month. Both offer various licensing plans and following the Malware-as-a-Service (MaaS) model, offering\r\ntheir customers a subscription-based model with services such as 24/7 support and software updates:\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 1 of 10\n\nRemcos and NetWire as offered on their websites\r\ncampaign analysis\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 2 of 10\n\nInfection Vector: Lure Documents Containing a Malicious Macro\r\nThe infection vector that lures the users into installing the malware is a tax return themed Word document containing a\r\nmalicious macro:\r\nMalicious documents submitted\r\nto VirusTotal\r\nOnce the document has been opened, the content in the background is allegedly blurred, and the “Enable Editing” and\r\n“Enable Content” prompts must be manually confirmed by the user:\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 3 of 10\n\nMalicious documents content\r\nThis is a known social engineering method used to encourage the user to enable embedded macros to run on their machine.\r\nOnce the malicious content is being executed, an embedded and heavily obfuscated macro is ran on the victim’s machine:\r\nA part of the embedded macro\r\nobfuscated code\r\nThe above code partially shows that the payload is eventually dropped in the users “Temp” directory:\r\nThe DLL\r\ndropped by the macro code\r\nFinally, the DLL is injected into notepad and continues the infection chain.\r\nLoaders\r\nThe “sid.dll” loader that was dropped by the macro was observed to have at least two different variants: one is a loader for\r\nRemcos, and the other is a loader for NetWire. Looking at their exports, both loaders share the same “payload” exported\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 4 of 10\n\nmethod:\r\nThe loader’s exported methods\r\nUpon execution, the “payload” method starts decrypting data using a XOR key:\r\nDat decryption methods of the NetWire loader\r\nThe first decrypted part is an additional executable code, and the second part is decrypting the URL the loader connects to in\r\norder to download the next execution stage:\r\nThe decrypted initial C2 URL\r\nEventually, the malicious code is injected into “tracert.exe” that downloads the OpenVPN client along with a trojanized\r\nDLL file called “libcrypto-1_1.dll”, which will be side-loaded to the OpenVPN client upon execution. A similar process,\r\nmost likely by the same threat actor, was mentioned earlier this year and describes documents that date back to middle 2020.\r\nIt then creates a persistence for the VPN client by creating automatic execution of a .lnk file\r\n(C:\\Users\\%username%\\AppData\\Local\\Temp\\openvpn-gui.lnk).\r\nOpenVPN DLL Sideloading\r\nThe malicious code in the sideloaded DLL unpacks an additional DLL in-memory and injects it into “notepad.exe”. A\r\nsecondary payload hidden in an image file is then downloaded from “imgur.com”, a well-known cloud image storage\r\nservice. The decrypted payload can be either NetWire or Remcos: \r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 5 of 10\n\nScreenshot of an image\r\nconcealing a malicious payload\r\nRemcos\r\nThe features for the Remcos RAT can be found on its official website, and includes:\r\n• Remote execution of shell commands on the infected machine\r\n• Downloading and execution of additional payloads\r\n• Screen capture\r\n• Clipboard data management\r\nThe version that is used in this campaign is 3.0.0 professional, which also offers support and software updates:\r\nRemcos variant as seen in its code\r\nnetwire\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 6 of 10\n\nNetWire has been active for years, and in 2019 a new version was spotted in the wild. Some of the most notable features of\r\nNetWire include:\r\n• Downloading and execution of additional payloads\r\n• File and system managers\r\n• Screen capture\r\n• Browser credentials and history theft\r\n• Gathering information about the victim’s system\r\nSimilar to Remcos, the NetWire malware also contains indicative hardcoded strings:\r\nNetWire hardcoded strings\r\nCybereason Detection and Prevention\r\nThe Cybereason Defense Platform detects the execution of a malicious Word document used in the operation:\r\nOnce persistence is created in the first stage, the second stage of the attack is also detected, monitoring Remcos/NetWire\r\ninjected into cmd.exe:\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 7 of 10\n\nCorresponding Malops(™) are then triggered:\r\nWhen the malicious sideloaded DLL is loaded by “openvpn-gui” in Prevention Mode, the Cybereason Defense Platform also\r\ndetects the code injection into “notepad.exe” and prevents it from executing further:\r\nConclusion\r\nSocial engineering via phishing has been, and continues to be, the preferred infection method among cyber criminals and\r\nnation-state threat actors alike. In order to succeed, the threat actor must choose an interesting theme that is likely to lure its\r\nvictim into opening the weaponized document or link.\r\nIn the campaign, we have demonstrated how cybercriminals are leveraging the US tax season to infect American taxpayers\r\nwith the Remcos and NetWire remote access trojans, granting the malware operators full access and control over the\r\nvictims’ machines. The sensitive information collected from the victims can be used by the attackers to carry out financial\r\nfraud or can be traded in the underground communities. \r\nCybereason also noticed efforts by the threat actor designed the campaign to stay under the radar, using various techniques\r\nsuch as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a\r\nlegitimate software.\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 8 of 10\n\nLooking for the IOCs? Click on the chatbot displayed in lower-right of your screen.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nCredential\r\nAccess\r\nDiscovery Collection\r\nComma\r\n\u0026 Cont\r\nNative API\r\nHijack\r\nExecution\r\nFlow: DLL\r\nsideloading\r\nProcess\r\nInjection\r\nDeobfuscate/Decode\r\nFiles or Information\r\nOS\r\nCredential\r\nDumping\r\nSystem Time\r\nDiscovery\r\nCredential\r\nAPI\r\nHooking\r\nIngress\r\nTool\r\nTransfe\r\nExploitation\r\nfor Client\r\nExecution\r\nEvent\r\nTriggered\r\nExecution:\r\nApplication\r\nShimming\r\n \r\nObfuscated Files or\r\nInformation\r\nAccount\r\nDiscovery\r\nInput\r\nCapture:\r\nCredential\r\nAPI\r\nHooking\r\nEncryp\r\nChanne\r\nCommand\r\nand\r\nScripting\r\nInterpreter\r\nCreate or\r\nModify\r\nSystem\r\nProcess:\r\nWindows\r\nService\r\n  Masquerading  \r\nSystem\r\nService\r\nDiscovery\r\nScreen\r\nCapture\r\nRemote\r\nAccess\r\nSoftwar\r\nScheduled\r\nTask/Job\r\n   \r\nVirtualization/Sandbox\r\nEvasion\r\n \r\nFile and\r\nDirectory\r\nDiscovery\r\nVideo\r\nCapture\r\nNon-Applica\r\nLayer\r\nProtoco\r\nSystem\r\nServices:\r\nService\r\nExecution\r\n   \r\nObfuscated Files or\r\nInformation:\r\nSteganography\r\n \r\nSystem\r\nInformation\r\nDiscovery\r\nClipboard\r\nData\r\nApplica\r\nLayer\r\nProtoco\r\n     \r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\n \r\nSoftware\r\nDiscovery:\r\nSecurity\r\nSoftware\r\nDiscovery\r\n   \r\n         \r\nProcess\r\nDiscovery\r\n   \r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 9 of 10\n\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery\r\n   \r\nSource: https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nhttps://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers"
	],
	"report_names": [
		"cybereason-exposes-malware-targeting-us-taxpayers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd4aab518e89d4e01e5d3523aaa71fecf62234c5.pdf",
		"text": "https://archive.orkl.eu/bd4aab518e89d4e01e5d3523aaa71fecf62234c5.txt",
		"img": "https://archive.orkl.eu/bd4aab518e89d4e01e5d3523aaa71fecf62234c5.jpg"
	}
}