Tax scams are becoming more dangerous, with new phishing campaigns using PDF attachments and QR codes to infect devices and steal login credentials.
According to a report, attackers send fake tax-related emails, often during tax season. These messages contain malicious PDFs that lead to phishing pages or install malware.
Some campaigns use a phishing-as-a-service tool known as RaccoonO365. This service mimics Microsoft 365 login screens to trick users into entering personal information.
PDF Attachments Deliver Malware
One campaign, discovered on February 6, 2025, targeted U.S. users. It used fake DocuSign pages to lure people into downloading malware.
When users clicked the download button, attackers filtered access based on their IP addresses. If approved, users received a script that installed advanced malware like Latrodectus and BRc4.
If not, they were sent a harmless document to avoid suspicion.
QR Codes in Emails Add Another Layer
In another campaign between February 12 and 28, over 2,300 U.S. companies received blank emails. These emails contained a PDF with a QR code linked to a phishing site.
This site, again powered by RaccoonO365, copied Microsoft’s login pages to steal user credentials.
Other Malware Also Delivered
Attackers didn’t stop with one malware type. Campaigns also delivered tools like Remcos RAT, AHKBot, and GuLoader. For example, one attack tricked users into opening fake tax files. These files downloaded scripts that recorded screenshots and sent them to a remote server.
Another campaign used PowerShell to install GuLoader, which later downloaded Remcos. These tools allow full control over infected systems.
Advanced Tactics Make Detection Harder
The attackers used smart tricks to avoid detection. They:
- Used URL shorteners like Rebrandly
- Exploited QR codes to disguise malicious links
- Leveraged trusted services like Dropbox and Canva
- Spoofed music apps and banking services
- Embedded malware in SVG files and fake installers
Each tactic aims to bypass email filters and gain user trust.
How to Prevent These Attacks
To stay safe from tax-themed scams and malware:
- Use phishing-resistant authentication methods
- Avoid clicking unknown PDFs or QR codes
- Only install apps from trusted sources
- Update all systems and browsers regularly
- Use secure browsers and anti-malware tools
Tax season is a busy time for cybercriminals. However, staying alert and using modern protections can help stop these attacks before they succeed.
Sleep well, we got you covered.
