What We Do
How We Do
Get Started
Security advisories

Increase in Tax-Themed Email Lure

March 13, 2024 | 4 MINS READ

Speak With A Security Expert Now



As the U.S. and Canadian tax season approaches, eSentire has observed a substantial increase in malware being delivered through tax-themed phishing emails. Cybercriminals are exploiting the urgency and importance of tax-related communications to trick individuals into opening malicious email links, leading to malware infections.

The observed phishing campaigns utilize tax-themed lures, including tax documents, tax returns, and IRS letters. These emails often appear to be sent from legitimate tax authorities or financial institutions and include malicious links leading to malware payloads hosted on attacker-controlled infrastructure.

eSentire has observed the following malware families being delivered from tax-themed campaigns: GuLoader (which in turn loads RemcosRAT), XWorm, RattyRat, and SorillusRAT. These malware families provide threat actors with a variety of functionalities including keylogging, taking screenshots, audio and webcam recording, file transfer, and remote code execution.

With the increasing sophistication of tax-themed phishing campaigns, it is crucial organizations implement proactive email security measures, as well as educate users to minimize the risk of malware infections and protect sensitive information, during the tax season and throughout the calendar year.

What we’re doing about it

What you should do about it

Additional information

GuLoader is a sophisticated malware loader which has heavily abused tax-themed lures in 2023. eSentire’s Threat Response Unit reported on GuLoader around tax season last year in both April and June of 2023. Starting in early March 2024, eSentire has observed an increase in GuLoader incidents resulting in the deployment of the RemcosRAT malware. In observed incidents, users received tax-themed malicious emails which contain a link to a password protected ZIP archive that impersonates a tax return (Figure 1). The ZIP archive contains an LNK file, which if interacted with, leads to the deployment of GuLoader. GuLoader is then launched resulting in the execution of PowerShell commands, establishing persistence via Registry Run Keys, and ultimately the RemcosRAT payload is injected into the memory of a legitimate process (Figure 2). If not detected and remediated quickly, these incidents will lead to information theft and enable remote control over the victim device.

RemcosRAT, XWorm, RattyRat, and SorillusRAT are all Remote Access Trojans offering various information stealing and remote access capabilities, including keylogging, capturing screenshots, recording audio, transferring files, and remotely controlling target machines.

In a recently observed incident involving XWorm malware, a user was identified downloading a malicious JavaScript file, which was impersonating a tax document; the user was directed to the download page via a malicious email. Upon execution, a PowerShell command was spawned to retrieve the XWorm payload from its Command-and-Control (C2) server. Subsequent JavaScript and PowerShell commands were blocked, via the client’s Endpoint agent, preventing malicious actions from occurring (Figure 3).

For additional technical details relating to recent observations of Ratty Rat and Sorillus RAT, delivered via tax-related lures, see the eSentire TRU Positive blog post Beware the Bait: Java RATs Lurking in Tax Scam Emails, published on February 26th, 2024.

Indicators of Compromise
intuitfrauddept[.]com Phishing Email Domain
intermountaiinhealthcare[.]org Phishing Email Domain
goatratedman[.]com Phishing Email Domain
stsebss[.]org Phishing Email Domain
hxxps[://]trivolibolit[.]com/wp-content/Hpzion[.]png GuLoader Payload Hosting URL
hxxps[://]jantickee[.]com/wp-content/Stanles2[.]png GuLoader Payload Hosting URL
hxxps[://]gamonosa[.]sa[.]com/.well-known/kr/UvcZuvTnzIO46.bin GuLoader Payload Hosting URL
AA55DC4FBEE738D2EAA714E6136C4E0CE8E3EF99C74F4D764F0BE3B790CE8014 GuLoader LNK File
63902401F26CBA19F48EBBE0B4C24BE0E2209686E0001009A5878EF0C57415CD GuLoader LNK File
FE10BC87167AA524D762E3BD9D7F38F53AE39A8515C28DFFC68B03229235B2A3 GuLoader VBS File
558742072F2E71418380FEBD4462A3C5B6CCF83160F385DF2D3799AA78EC58C2 GuLoader VBS File
EE23C722FD3A20CC9189903F7715AC6DA2EF2F5CAE0D8C23487CAC1FBC37A1D4 GuLoader VBS File
zarusouyt2994hesut01[.]duckdns[.]org Remcos C2
zarusouyt2994hesut02[.]duckdns[.]org Remcos C2
1shanamubunz[.]com Remcos C2
shakaojafun[.]com Remcos C2
85.209.176[.]69 Remcos C2
hxxp[://]91[.]92[.]243[.]28/////////poom///////////////////////////////////atom[.]xml XWorm Payload Hosting URL
91.92.243[.]28 XWorm C2
1C56940B0234BF7BEAC519CB62BD0DBE1E1B96B6F7AAB7F7FFBC7CC253EF5D5E XWorm JavaScript File
hxxps[://]sahiomn[.]web[.]app/Tax_documents_PDF[.]zip SorillusRAT Hosting
hxxps[://]osaminc[.]web[.]app/2023-FILES-MY1040-w2-IRS-letter-1099r_PDF[.]zip RattyRAT Hosting
216FFBB3057F8765E2DD73FDAD6E43ECB5D22821423B8824E23BE03A7692E5AD Sorillus RAT ZIP archive
FA4723B6970601FB772E808FA142008649773FD281BE46455C69828C0421AE27 Sorillus RAT JAR File
FB420FBABBD1BB240D07D01B3841943D457B9CCC0F019E4B7B80973D8A282D57 RattyRAT JAR File
185.196.220[.]62 RattyRAT C2 & SorillusRAT C2
Figure 1:Tax Themed GuLoader Email
Figure 2: Process Tree for GuLoader leading to RemcosRAT
Figure 3: XWorm Process Tree Resulting in Blocked Execution


[1] https://www.esentire.com/blog/beware-the-bait-java-rats-lurking-in-tax-scam-emails

View Most Recent Advisories