As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting U.S. citizens, according to a detailed report from Seqrite Labs.
Security researchers have uncovered a malicious campaign exploiting the tax season through sophisticated social engineering tactics, primarily phishing attacks.
These cybercriminals are deploying deceptive emails and malicious attachments to steal sensitive personal and financial information while distributing dangerous malware.
.png
)
The campaign leverages redirection techniques and malicious LNK files, such as “104842599782-4.pdf.lnk,” to trick users into executing harmful payloads disguised as legitimate tax documents.
This strategy preys on user trust, especially among vulnerable demographics like green card holders, small business owners, and new taxpayers, who may lack familiarity with government tax processes.
Stealerium Malware and Multi-Stage Infection Chain
The infection chain begins with phishing emails containing deceptive attachments that, once opened, execute a series of obfuscated payloads.
Seqrite Labs’ technical analysis reveals that these attachments embed Base64-encoded PowerShell commands, which download additional malicious files like “rev_pf2_yas.txt” and “revolaomt.rar” from attacker-controlled Command and Control (C2) servers.
The final payload, often named “Setup.exe” or “revolaomt.exe,” is a PyInstaller-packaged Python executable containing encrypted data that decrypts at runtime.
This leads to the deployment of Stealerium malware, a .NET-based information stealer (version 1.0.35), notorious for harvesting sensitive data from browsers, cryptocurrency wallets, and apps like Discord, Steam, and Telegram.
Stealerium also conducts extensive system reconnaissance, capturing Wi-Fi configurations, webcam screenshots, and even detecting adult content to trigger additional captures.
Its anti-analysis features, including sandbox evasion and mutex controls, make it particularly challenging to detect and mitigate.
The malware registers bots via HTTP POST requests to C2 servers like “hxxp://91.211.249.142:7816,” facilitating data exfiltration over web services.
Beyond credential theft, Stealerium targets gaming platforms, VPN credentials, and messenger apps, extracting data from tools like FileZilla, NordVPN, and Outlook.
It creates hidden directories in %LOCALAPPDATA% for persistence and employs AES-256 encryption to secure stolen data.
Seqrite Labs advises immediate caution, recommending advanced endpoint protection solutions to combat this evolving threat.
Staying vigilant against suspicious emails and attachments during tax season is critical to avoiding identity theft and financial loss.
Indicators of Compromise (IoCs)
| File Name | SHA-256 |
|---|---|
| Setup.exe/revolaomt.exe | 6a9889fee93128a9cdcb93d35a2fec9c6127905d14c0ceed14f5f1c4f58542b8 |
| 104842599782-4.pdf.lnk | 48328ce3a4b2c2413acb87a4d1f8c3b7238db826f313a25173ad5ad34632d9d7 |
| payload_1.ps1 / fgrsdt_rev_hx4_ln_x.txt | 10f217c72f62aed40957c438b865f0bcebc7e42a5e947051edee1649adf0cbf2 |
| revolaomt.rar | 31705d906058e7324027e65ce7f4f7a30bcf6c30571aa3f020e91678a22a835a |
| 104842599782-4.html | ff5e3e3bf67d292c73491fab0d94533a712c2935bb4a9135546ca4a416ba8ca1 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
