Find notable cyber news and cases, enriched with sources, timelines, and signals.

U.S. tax-season phishing and malware-delivery campaign

Campaign
First reported
Last updated
Happening score
H score 50
1 unique sources, 1 articles

Summary

Hide ▲

The U.S. tax-season phishing campaigns are harvesting credentials and delivering malware, putting individuals, accountants, and other professionals at risk. The lures mimic refund notices, payroll forms, filing reminders, and tax-related requests to push victims into opening malicious files, scanning QR codes, or clicking suspicious links. One large wave on February 10, 2026 affected more than 29,000 users across 10,000 organizations. The activity also uses PhaaS kits and RMM tools such as ScreenConnect, Datto, and SimpleHelp to gain persistent access and steal data.

Related Happenings

TA4922 expanded European phishing-and-malware campaign

Campaign
H score40 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...

QR code phishing surged across email threats in Q1 2026

Trend
H score73 First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....

Amazon SES phishing and BEC abuse campaign

Campaign
H score29 First: 04.05.2026 23:03 Last: 04.05.2026 23:03 Sources 1

About this happening: A phishing campaign is abusing Amazon Simple Email Service (SES) to send convincing emails that can bypass standard authentication and reputation-based defenses. Attackers are usi...

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
H score30 First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

Scattered Spider SMS phishing and SIM-swap crypto theft campaign

Campaign
H score53 First: 20.04.2026 16:33 Last: 20.04.2026 16:33 Sources 1

About this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...

Timeline

  1. 23.03.2026 12:55 1 articles · 3mo ago

    IRS impersonation phishing wave affects more than 29,000 users

    Victim Impact Update

    On February 10, 2026, an IRS-impersonation phishing wave affected more than 29,000 users across 10,000 organizations, mostly in the U.S.; recipients were told to review purportedly irregular tax returns by downloading an "IRS Transcript Viewer" and were redirected through a "Download IRS Transcript View 5.1" button to smartvault[.]im, where a malicious ScreenConnect package enabled remote access and credential harvesting.

    Show sources
  2. 23.03.2026 12:55 2 articles · 3mo ago

    Microsoft warns of tax-season phishing campaigns

    Initial Disclosure

    Microsoft warned that U.S. tax-season phishing campaigns were targeting individuals, accountants, and other professionals with refund notices, payroll forms, filing reminders, QR codes, suspicious links, and IRS-themed lures to steal credentials and deliver malware, with some operations using PhaaS pages and others deploying ScreenConnect, Datto, or SimpleHelp for persistent access.

    Show sources