Cyber Threat Intelligence Report

This week, we briefed our clients on tax-related phishing scams distributing malware and explained the increase in Internet-facing technology scans.

 KEY TAKEAWAYS 

• Various IRS and Tax-themed phishing campaigns are stealing credentials and deploying malware. Learn how to protect your organization.

• Increase in scanning activity for edge-facing devices. Ensure devices are fully patched and properly configured.

• Critical vulnerabilities in VMware and CrushFTP. Patch now!

‘Tis the Season for Tax Scams

As the deadline for filing taxes in the U.S. quickly approaches, threat actors have been increasing phishing scams with tax-related themes. In a recent security blog from Microsoft, they detail several of these phishing campaigns that have been used to distribute various forms of malware. This article will highlight the techniques and lures observed in these campaigns, and provide guidance on how to stop these attacks from affecting your organization.

IRS-themed Phishing Emails

An initial access broker Microsoft tracks as Storm-2049 was observed distributing thousands of emails with IRS-related themes to distribute Latrodectus and BruteRatel C4. Latrodectus is a form of "loader" malware that is primarily used for initial access and delivery of further malicious payloads. It has the ability to create scheduled tasks for persistence and run basic Windows commands. Brute Ratel C4 is a commercial red teaming tool similar to Cobalt Strike that provides comprehensive command and control (C2) capabilities.

These phishing emails contain subject lines such as "Notice: IRS Has Flagged Issues with Your Tax Filing” and contain PDF attachments with file names such as "Irs_Verification_Form_1773.pdf". These PDFs contain embedded URLs that lead to a Rebrandly URL shortening link, which in turn leads to a fake DocuSign page. If the user clicks the Download button for the fake document, based on the user's IP address, the user will download a malicious JavaScript payload that then downloads and executes a Microsoft Software Installer (MSI) file containing Brute Ratel C4 and Letrodectus, or the user will be served a benign PDF file to avoid any detections.

Examples of this campaign are below:

Fig. 1: Sample Phishing Email with IRS Theme | Source: Microsoft

Fig. 2: Fake DocuSign Document | Source: Microsoft

Phishing Emails with QR Code in PDF

In February, Microsoft observed tax-themed phishing emails that had an empty email body, but contained a PDF with a QR code, with email subjects urging the email recipient that the document needed to be signed. The embedded QR code linked to shareddocumentso365cloudauthstorage[.]com. Microsoft attributes this URL to RacoonO365, a phishing-as-a-service operator that provides phishing kits mimicking Microsoft 365 sign-in pages that are used to steal sign-in credentials.

Excel Files Drop AHKBot

In a separate IRS-themed phishing campaign, emails with the subject "IRS Refund Eligibility Notification" sent from "jessicalee@eboxsystems[.]com" prompted recipients to click the following hyperlink:

hxxps://business.google[.]com/website_shared/launch_bw[.]html?f=hxxps://historyofpia[.]com/Tax_Refund_Eligibility_Document[.]xlsm

This link masquerades as a legitimate Google Business page, but redirects to a likely compromised site historyofpia[.]com and serves a malicious Excel file. The user is prompted to enable macros, and if they do, an MSI file is downloaded and run. The MSI file contains a legitimate copy of an executable that runs AutoHotKey script files, and a second file called AutoNofify.ahk, which is the AHKBot Looper malware which runs on an infinite loop and can download further AutoHotKey scripts. Microsoft observed AHKBot downloading "Screenshotter", which captures screenshots on the compromised device and sends them to the C2 server of 181.49.105[.]59.

How to Protect Your Organization

• User Awareness & Education - The first line of defense from these types of attacks is the user. Users should be aware of these types of scams and be trained on how to identify potentially malicious URLs or attachments. Users should be advised to never click on unsolicited QR codes or enable/run macros.
• Enforce Multi-Factor Authentication (MFA) - MFA should be enabled for all user accounts with zero
• Endpoint Detection and Response (EDR) - Up-to-date EDR tools should be deployed to all possible endpoints. Policies for EDR tools should be set to "prevent" or "block" so they can take immediate action if threats are identified.
• Network Monitoring - Network monitoring tools such as PacketWatch can be used to identify traffic to malicious domains or IPs.
  • host:(historyofpia.com)
  • \*.ip:(181.49.105.59)

Resources:

• https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
  

• https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods?ocid=magicti_ta_learndoc
  

• https://thehackernews.com/2025/04/microsoft-warns-of-tax-themed-email.html
  

• https://any.run/malware-trends/latrodectus
  

• https://bruteratel.com/
  

• https://www.morado.io/blog-posts/understanding-raccoono365-phishing-as-a-service

Increase in Scanning Activity Against Internet-facing Tech

In a recent security blog by GreyNoise, they identified a large increase of activity targeting a variety of technologies on March 28. Targeted devices included Ivanti, SonicWall, Zoho, Zyxel, F5, and Linksys. Then on March 31, they released another blog where they identified 24,000 unique IP addresses that have been targeting Palo Alto Networks PAN-OS GlobalProtect portals. 

This unusual spike in scanning activity suggests threat actors are more aggressively increasing reconnaissance or exploitation attempts of these devices. It is imperative that organizations ensure any device or service that is exposed to the internet is fully patched. Access to management interfaces of edge devices should be restricted to only trusted IPs. Organizations with these technologies are encouraged to review logs from late March to monitor for unusual activity.

How to Protect Your Organization

• Establish a regular patching schedule for all internet-facing systems.
• Subscribe to vulnerability lists to notify about critical vulnerabilities discovered on your devices.
• Ensure all your internet-facing technology is documented.
• Perform regular external vulnerability detection scans to identify known vulnerabilities and to identify potential undocumented devices on your public-facing netblocks.
• Ensure edge devices are properly configured:
  • Unwanted/unused services are disabled.
  • Default accounts are disabled.
  • Management interfaces are restricted.

Resources:

• https://www.greynoise.io/blog/heightened-in-the-wild-activity-key-technologies
  

• https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity
  

• https://thehackernews.com/2025/04/nearly-24000-ips-target-pan-os.html

Vulnerability Roundup

VMware Tools For Windows Authentication Bypass

On March 25, Broadcom issued security updates for VMware Tools for Windows, a set of drivers and utilities to aid in performance for guest operating systems running in VMware virtual machines. The authentication bypass vulnerability, tracked as CVE-2025-22230, allows threat actors "with non-administrative privileges on a Windows guest VM" to "gain ability to perform certain high-privilege operations within that VM" according to the advisory. This vulnerability poses increased risk when chained with other critical vulnerabilities such as the set of 3 vulnerabilities patched in early March that allow privileged or root users to escape the VM and pivot to the hypervisor. Administrators are urged to upgrade VMware Tools to version 12.5.1 or higher as soon as possible.

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518
  

• https://www.bleepingcomputer.com/news/security/broadcom-warns-of-authentication-bypass-in-vmware-windows-tools/
  

• https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-03-10-2025

CrushFTP Authentication Bypass

CrushFTP released a security update detailing a critical vulnerability they track as CVE-2025-31161. Other vendors are tracking this vulnerability as CVE-2025-2825, and there is some dispute as to the official CVE for this vulnerability. The vulnerability allows a remote, unauthenticated attacker to gain access via specially crafted HTTP requests. Proof of concept exploit code for this vulnerability is available in the wild. Per the vendor advisory, CrushFTP version 11.0.0 to 11.3.0 and 10.0.0 to 10.8.3 are vulnerable. Administrators are urged to update to versions 11.3.1+ or 10.8.4+ as soon as possible.

• https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
  

• https://nvd.nist.gov/vuln/detail/CVE-2025-31161
  

• https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation
  

• https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/
  

• https://thehackernews.com/2025/03/new-security-flaws-found-in-vmware.html

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.