Find notable cyber news and cases, enriched with sources, timelines, and signals.

Tax-season credential phishing and RMM malware campaign

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

A tax-themed cyber campaign is using credential phishing, remote monitoring and management (RMM) tools, and fraud lures to target people handling financial data and login credentials, raising the risk of account takeover and long-term access. Security researchers identified more than a hundred operations in early 2026, showing the activity is broad and recurring rather than isolated. Some lures impersonate investment firms and company executives, pushing victims to fake login pages and document-collection pages.

Related Happenings

TA4922 expanded European phishing-and-malware campaign

Campaign
H score40 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...

Cyber-enabled cargo theft is surging across transportation and logistics in 2025

Trend
H score42 First: 30.04.2026 19:32 Last: 30.04.2026 19:32 Sources 1

About this happening: **Cyber-enabled cargo theft** is surging across **transportation and logistics**, driving nearly **$725 million** in estimated losses in the **U.S. and Canada** and materially inc...

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
H score43 First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

U.S. tax-season phishing and malware-delivery campaign

Campaign
H score50 First: 23.03.2026 12:55 Last: 23.03.2026 12:55 Sources 1

About this happening: The **U.S. tax-season phishing campaigns** are harvesting credentials and delivering malware, putting **individuals**, **accountants**, and other professionals at risk. The lures...

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
H score82 First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Timeline

  1. 30.03.2026 18:00 2 articles · 3mo ago

    Proofpoint identifies tax-themed campaigns using RMM tools and credential phishing

    Initial Disclosure

    Proofpoint's March 30, 2026 advisory describes more than a hundred tax-themed cyber campaigns active in early 2026, where attackers used malware, remote monitoring and management (RMM) tools, credential phishing, fake login pages, and impersonation of investment firms and company executives to collect W-8BEN, W-2, and W-9 information.

    Show sources