Microsoft warns about multiple phishing companies that use tax related topics to deploy malware and theft of powers.
“These companies, in particular – Note In a report that shared with Hacker News.
The characteristic aspect of these companies is that they lead to phishing Raccoon365The electronic crime platform, which first appeared in early December 2024.
Also delivered deleted Trojans access (rats) as a rat Remcos, as well as other malware and frame after operation such as LatrodectusAhkbot, Gulatorand Brutetel C4 (BRC4).
It is estimated that one of these companies, noticed by the technological giant on February 6, 2025, sent hundreds of letters sent to the United States ahead of the taxes that tried to deliver BRC4 and Latrodectus. Activities was attributed to Storm-0249The original broker for access previously known for the distribution of the basaloder, ICEDID, Bumblebee and Emotet.
The attacks provide the use of PDF attachments containing a link that redirects users to the URL, shortened by the rebrendli, eventually leads them to the counterfeit Docusign page with the ability to view or download the document.
“When the users pressed the download button on the target page, the result depended on whether their system allowed their system and IP -Drace to access the next phase based on the filtration rules created by the actor,” Microsoft said.
When accessed, the user is sent to the JavaScript file, which further downloads Microsoft (MSI) software for BRC4, which serves as a Latrodectus. If the victim is not considered a valuable purpose, they are sent a benign PDF document from Royalegroupnyc (.) Com.
Microsoft said she also discovered the second campaign between February 12 and 28, 2025, where phishing emails sent to more than 2,300 organizations in the US, especially aimed at engineering, IT and consultations.
In this case, the emails did not have the contents in the message, but showed the PDF attachment containing the QR -code that indicated the link related to Phaas Raccoono365, which imitates the entry pages to Microsoft 365 to trick users to enter their data.
As a sign that these companies come in various forms, phishing emails with taxation were also marked as distributing other malicious programs such as AHKBOT and Guloader.
Ahkbot infection networks have been found to send users to sites that post a malicious Microsoft Excel file, which upon opening and enableing macros loads and launches the MSI file to launch the Autohotkey scenario, which then loads a screenshot module to capture screenshots with a comparable host.
Gulader aims to cheat users by clicking on the URL, which is present in addition to the PDF email, which led to the ZIP file download.
“The Zip -Fail contained different .lnk files created to imitate tax documents. If the user is launched, the .lnk file uses PowerShell to download PDF and .bat file,” Microsoft said. “.
Development comes a few weeks after Microsoft warned about the next Storm-0249 company, which redirected users to fake websites that advertise Windows 11 Pro to provide the updated version of the Latrodectus Latrodectus loader through Truteratel Red Team.
“Actor threats are likely – Note In a series of posts on X.
“Latrodectus 1.9, the last evolution of the malicious program, first observed in February 2025, again introduced the planned assignment for persistence and added the team 23, which allowed to execute the Windows” CMD.exe /C “” “
The disclosure of information also stems from over -storage in companies using QR -codes in phishing documents to mask malicious URL as part of extensive attacks aimed at Europe and the US, leading to thefts.
“Analysis of the URL extracted from the QR codes in these companies shows that the attackers usually avoid the inclusion of the URL, which directly indicate the phishing -dumm,” -the Palo Alto Networks 42 division – – Note In the report. ‘Instead they often use the re -government mechanisms or exploit Open redirecting on legitimate sites. “
These conclusions also come after a few phishing and social engineering companies that have been labeled in recent weeks –
- Use your browser in your browser (Bit) Technique to serve Seem
- Using information theft of malicious software for Accounting Hijack MailChimpallowing the subject threat to send emails volume
- Relate SVG files To bypass spam -filters and redirect users to false entry pages in Microsoft
- Relate Trusted cooperation services Like Adobe, Docusign, Dropbox, Canva and Zoho to translate safe gateways email (Segs) and steal credentials
- Relate Electronic messages cheat on music broadcasting Both Spotify and Apple Music for the purpose of collecting credentials and pay information
- Use fake security warnings associated with suspicious activity Windows and Apple Mac Devices on fake sites to cheat users that provide their system credentials
- Relate fake web -sight Distribution of Trojonized Windows Installers for Deepseek, I4Tools and Youdao Dictionary Desktop Editions that fall Gh0st rat
- Relate Phishing-Electronic Leaves with Accounts Earning for Spanish companies for disseminating theft information Darkcloud
- Relate Phishing —lists representing themselves for the Romanian bank Expand an information theft called Masslogger Tarting Arglenages located in Romania
To mitigate the risks caused by these attacks, it is important that the organizations take phishing authentication methods, use browsers that can block malicious sites and provide network protection to prevent applications or users from accessing malicious domains.