Hackers Use URL Shorteners and QR Codes in Tax-Themed Phishing Attacks

As the United States approaches Tax Day on April 15, cybersecurity experts have uncovered a series of sophisticated phishing campaigns leveraging tax-related themes to exploit unsuspecting users.

Microsoft has identified these campaigns as employing advanced redirection techniques such as URL shorteners and QR codes embedded in malicious attachments to evade detection.

By abusing legitimate services like file-hosting platforms and business profile pages, attackers aim to deliver malware and steal sensitive credentials.

The phishing attacks are linked to the RaccoonO365 phishing-as-a-service (PhaaS) platform, as well as malware families such as Remcos, Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.

These tools enable attackers to gain unauthorized access, deploy payloads, and conduct further malicious activities.

Malware Delivered Through Tax-Themed Emails

Microsoft observed several campaigns exploiting tax-related fears and obligations to deceive users.

One campaign, attributed to the threat actor Storm-0249, targeted thousands of users with emails claiming issues with their IRS filings.

These emails contained PDF attachments with embedded DoubleClick URLs that redirected users through Rebrandly shortened links to fake DocuSign pages.

If users interacted with these pages, they were either served malicious JavaScript files leading to malware installation or benign decoy files based on filtering rules.

Another campaign used QR codes embedded in PDF attachments sent to over 2,300 organizations between February 12 and 28, 2025.

The QR codes directed recipients to phishing pages mimicking Microsoft 365 login portals designed to steal credentials.

These emails were disguised under display names such as “EMPLOYEE TAX REFUND REPORT” and “Tax Strategy Update Campaign Goals,” adding credibility to the attack.

Advanced Malware Techniques Exploited

The malware used in these campaigns demonstrates advanced capabilities:

• Latrodectus: A loader with dynamic command-and-control (C2) configurations and anti-analysis features. Its latest version adds persistence mechanisms like scheduled tasks and allows attackers to execute Windows commands remotely.
• BruteRatel C4 (BRc4): Originally designed for red-teaming exercises, this framework is exploited by attackers for post-exploitation activities, including bypassing security defenses.
• AHKBot: Delivered via IRS-themed phishing emails containing malicious Excel files. Once macros are enabled, this malware downloads scripts capable of capturing screenshots and executing commands.
• GuLoader: A highly evasive downloader that employs encrypted shellcode and anti-analysis techniques to deliver payloads like Remcos a remote access trojan enabling full control over compromised systems.

In a targeted campaign hackers focused on CPAs and accountants in the U.S., employing rapport-building tactics before delivering malicious PDFs.

These PDFs contained URLs leading to ZIP files hosted on Dropbox. Once opened, the files executed PowerShell scripts that installed GuLoader and Remcos malware.

To combat these threats, Microsoft recommends organizations implement robust security measures:

1. User Education: Train employees to identify phishing attempts and avoid interacting with suspicious links or attachments.
2. Multi-Factor Authentication (MFA): Enforce MFA across all accounts to minimize unauthorized access risks.
3. Advanced Security Solutions: Use tools like Microsoft Defender for Office 365 for real-time email scanning and URL verification.
4. Endpoint Protection: Enable cloud-delivered antivirus protection and endpoint detection response (EDR) in block mode for comprehensive defense against evolving threats.

These campaigns highlight the importance of vigilance during tax season, as cybercriminals continue to refine their methods using legitimate services and advanced malware frameworks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!