CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

IRS-Themed Phishing Campaigns Deploy RMM Malware via Tax Lures

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors leveraged tax-season urgency to distribute phishing emails impersonating the U.S. Internal Revenue Service (IRS) and other tax-related entities, targeting approximately 29,000 users across 10,000 organizations. Attackers delivered malicious payloads including legitimate Remote Monitoring and Management (RMM) tools such as ConnectWise ScreenConnect, Datto, and SimpleHelp to establish persistent access and facilitate credential harvesting, data theft, and lateral movement. Campaigns abused tax-themed lures including fake refund notices, W2 forms, IRS documents, and cryptocurrency tax forms to deceive recipients into clicking malicious links or downloading trojanized attachments. Campaigns primarily targeted U.S. organizations in financial services, technology, and retail, with a smaller subset targeting non-U.S. sectors such as manufacturing, healthcare, and higher education. The phishing infrastructure used obfuscation techniques such as Cloudflare to filter bots, typosquatting, and multi-vendor URL rewriting services to evade detection.

Timeline

  1. 23.03.2026 12:55 1 articles · 5h ago

    Tax-Season IRS Impersonation Phishing Campaigns Deploy RMM Malware to 29,000+ Users

    On February 10, 2026, a large-scale phishing campaign impersonating the IRS targeted over 29,000 users across 10,000 organizations, primarily in the U.S., using fake tax refund and transcript lures. Attackers delivered trojanized ScreenConnect via a malicious domain (smartvault[.]im) that leveraged Cloudflare to evade automated detection. Parallel campaigns used tax-themed lures (W2 forms, cryptocurrency tax documents) to distribute additional RMM tools such as Datto and SimpleHelp. The operation exploited seasonally relevant urgency and trusted administrative software to establish persistent remote access for credential theft, data exfiltration, and lateral movement.

    Show sources
    Open in new tab

Information Snippets

  • A large-scale phishing campaign on February 10, 2026, affected over 29,000 users across 10,000 organizations, with 95% of targets located in the U.S. across industries such as financial services (19%), technology and software (18%), and retail and consumer goods (15%).

    First reported: 23.03.2026 12:55
    1 source, 1 article
    Show sources

  • Attackers impersonated the IRS using emails claiming irregular tax returns were filed under the recipient’s Electronic Filing Identification Number (EFIN), directing users to download a malicious ‘IRS Transcript Viewer’ from smartvault[.]im that delivered ScreenConnect.

    First reported: 23.03.2026 12:55
    1 source, 1 article
    Show sources

  • Phishing campaigns used tax-themed lures including W2 forms, fake tax documents, and cryptocurrency tax forms (e.g., “Cryptocurrency Tax Form 1099”) hosted on domains such as irs-doc[.]com and gov-irs216[.]net to deliver RMM tools like ScreenConnect and SimpleHelp.

    First reported: 23.03.2026 12:55
    1 source, 1 article
    Show sources

  • Legitimate RMM tools including ConnectWise ScreenConnect, Datto, SimpleHelp, and Teramind were abused to establish persistent remote access on compromised systems, enabling credential theft, data exfiltration, and post-exploitation activity.

    First reported: 23.03.2026 12:55
    1 source, 1 article
    Show sources

  • Phishing infrastructure employed obfuscation techniques such as Cloudflare to block automated scanners, multi-vendor URL rewriting services (from vendors including Avanan, Barracuda, Bitdefender, and others) to conceal malicious links, and typosquatting (e.g., telegrgam[.]com) to distribute trojanized installers.

    First reported: 23.03.2026 12:55
    1 source, 1 article
    Show sources

  • Additional malware delivery vectors included fake Google Meet/Zoom pages distributing Teramind, Avast-branded refund scams targeting French-speaking users, JavaScript droppers leading to XWorm 7.1 infections via reflective DLL injection, and phishing emails abusing Microsoft Azure Monitor alerts with fake billing lures.

    First reported: 23.03.2026 12:55
    1 source, 1 article
    Show sources

  • Abuse of legitimate RMM tools by threat actors surged 277% year-over-year, as noted by Huntress, due to their trusted status in corporate environments and limited monitoring for unauthorized usage.

    First reported: 23.03.2026 12:55
    1 source, 1 article
    Show sources