Cybercriminals Abuse IRS and Tax Filing Lures to Push Malware in New Campaigns - CyberSecurityNews

HomeCyber Security News Cybercriminals Abuse IRS and Tax Filing Lures to Push Malware in New Campaigns By Tushar Subhra Dutta March 31, 2026 Tax season brings a reliable wave of phishing attacks, but 2026 has already shown a bigger and more organized push than in previous years. Cybercriminals are actively impersonating the Internal Revenue Service (IRS), national tax authorities, and company HR departments to trick people into installing malware or handing over login credentials. Over a hundred campaigns using tax-related lures have been recorded so far this year, delivering everything from malware to remote access tools and credential-stealing pages. The range of tactics in these campaigns is wider than before. Attackers are spoofing emails about expired tax documents, IRS filing notices, W-2 form requests from fake HR teams, and even W-8BEN filings for non-U.S. taxpayers. Malware and remote monitoring and management (RMM) payloads account for the bulk of threats delivered through tax-themed emails this year. Breakdown of threat type delivered in tax-themed email campaigns (Source – Proofpoint) Campaigns have targeted users mainly in the United States, but also in Canada, Australia, Switzerland, and Japan, with email volumes ranging from a few targeted messages to tens of thousands. Proofpoint researchers identified over a dozen IRS-impersonation RMM campaigns since January 2026 and flagged two specific threat actor groups — TA4922 and TA2730 — each running organized operations with clear financial objectives. Researchers noted that 2026 shows more RMM payloads than past tax seasons, with activity from newly identified actors and a broader variety of social engineering lures than previously observed. Abusing legitimate RMM software has become a go-to move for these actors. Tools like N-able, Datto, RemotePC, Zoho Assist, and ScreenConnect are trusted by enterprise security systems because they are legitimate, digitally signed applications — making them hard to detect as threats. Phishing lure impersonating the IRS delivering N-able RMM (Source – Proofpoint) On February 5, a campaign impersonating the IRS sent emails with a fake “Transcript Viewer” button, which linked to a Bitbucket-hosted executable that silently installed N-able RMM on the victim’s machine. The attacker also included a real IRS phone number in the email to make the message look official. TA2730 email impersonating Swissquote (left) and malicious phishing landing page impersonating the company (right) (Source – Proofpoint) Separately, TA2730 — a credential phishing group tracked by Proofpoint since June 2025 — ran campaigns impersonating investment firms and asking targets to update W-8BEN tax forms. TA2730 email impersonating Questrade (left) and malicious phishing landing page impersonating the company (right) (Source – Proofpoint) In February 2026, the actor impersonated Swissquote in Switzerland and Questrade in Canada, directing victims to fake login pages built to steal account credentials for financial gain. TA4922’s Multi-Step Social Engineering Approach Among the threat actors identified this year, TA4922 stands out for its deliberate, multi-stage attack chain. Tracked by Proofpoint since spring 2025, this financially motivated group is believed to be based in East Asia and is likely Chinese-speaking. Its primary goal is gaining remote access to victim systems for fraud, data theft, or selling that access to other criminals. TA4922 primarily delivers malware from the Winos4.0 ecosystem — also known as ValleyRAT — using a combination of loaders and information stealers. What makes this actor particularly dangerous is its two-phase approach. The group begins by sending an impersonation email posing as a tax authority claiming the recipient has unresolved tax obligations and requesting a mobile phone number to continue discussions. Once that private channel is established, the actor escalates by pretending to be company finance leadership before delivering malicious files or links outside of email. Inland Revenue Department impersonation (Source – Proofpoint) In early March 2026, a related campaign spoofed the Inland Revenue Department, leading victims to download an information stealer that remains under active investigation by Proofpoint researchers. Organizations and employees can take clear steps to protect themselves. Security teams should enforce allow-listing policies to ensure that only approved RMM tools can run on corporate networks, reducing the risk of unauthorized remote access software going undetected. Employees need regular training that covers tax-season phishing techniques and teaches them to question emails requesting personal contact details or prompting action on tax filings through external links. Any unsolicited message from a supposed tax authority or HR contact should always be verified through official channels before any action is taken. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News DCloud Uni-App Scam Network Powers RainbowEx-Style Crypto Fraud and WhatsApp Phishing Malicious AI Agent Skill Bypasses Security Scans and Seizes Full Control of Over 26,000 Agents Critical python.org Vulnerability Allowed Attackers to Forge Admin-Level API Requests Bajaj Auto Hit by a Ransomware Attack – Internal Systems Affected OpenAI Reportedly Delays ChatGPT 5.6 Release Following Trump Administration Request Latest News ANY.RUN EvilTokens Phishing Breaches Finance Firms Using “Ghost” Code Across U.S. and European Businesses Cyber Security New Claude Code Attack Allows Attackers to Take Full Control of Developers’ Systems Cyber Security News U.S. Seizes Hundreds Domains Used to Stream World Cup Matches Illegally Cyber Security News Public PoC Released for Deserialization RCE Vulnerability in Splunk Secure Gateway Cyber Security Hackers Exploiting Critical Oracle E-Business Suite Vulnerability Actively in Attacks