New Malware Campaigns Exploit IRS and Tax Luring Themes
Key Takeaways The 2026 tax season has seen a significant escalation in tax-themed phishing campaigns, with over 100 distinct operations identified so far. Attackers are impersonating government tax...
Key Takeaways
- The 2026 tax season has seen a significant escalation in tax-themed phishing campaigns, with over 100 distinct operations identified so far.
- Attackers are impersonating government tax agencies (like the IRS), national tax authorities, and even internal HR departments to deliver malware, remote access tools, and credential stealers.
- Victims in the U.S., Canada, Australia, Switzerland, and Japan have been targeted, with campaigns ranging from highly focused attacks to broad email blasts.
- Threat actors TA4922 and TA2730 are prominent in these campaigns, utilizing sophisticated social engineering and legitimate Remote Monitoring and Management (RMM) software to evade detection.
Tax Season 2026: A Surge in Sophisticated Phishing Attacks
The annual tax season predictably heralds an increase in phishing attempts, but the year 2026 has witnessed a notable intensification, marked by a larger scale and greater coordination among cybercriminals compared to previous years.
Table Of Content
Threat actors are actively masquerading as the Internal Revenue Service (IRS), various national tax authorities, and even human resources departments within companies. Their objective is to deceive individuals into installing malicious software or divulging sensitive login credentials.
Widespread Campaigns Deliver Diverse Threats
More than a hundred distinct campaigns employing tax-related lures have been documented this year. These operations are designed to deploy a range of malicious payloads, including various forms of malware, remote access tools (RATs), and sophisticated credential-stealing phishing pages. For a deeper dive into these campaigns, refer to this Proofpoint report on tax-themed campaigns.
The social engineering tactics employed in these campaigns are more varied than ever. Attackers are crafting emails that falsely claim tax documents have expired, issue fake IRS filing notices, request W-2 forms from bogus HR teams, and even demand W-8BEN filings from non-U.S. taxpayers. This year, the primary threats delivered through these tax-themed emails are malware and remote monitoring and management (RMM) payloads.
While the majority of these campaigns have targeted users in the United States, significant activity has also been observed in Canada, Australia, Switzerland, and Japan. The volume of emails in these attacks varies widely, from a handful of highly targeted messages to tens of thousands in broader spam efforts. Proofpoint researchers have documented over a dozen RMM campaigns impersonating the IRS since January 2026, pinpointing two specific threat groups: TA4922 and TA2730. Both are operating organized campaigns with clear financial motives. Researchers noted a marked increase in RMM payloads this tax season, alongside the emergence of new threat actors and a wider array of social engineering lures than previously detected.
Abuse of Legitimate RMM Software
A growing trend among these attackers is the exploitation of legitimate RMM software. Tools such as N-able, Datto, RemotePC, Zoho Assist, and ScreenConnect are typically trusted by enterprise security systems because they are legitimate, digitally signed applications. This inherent trustworthiness makes them exceptionally difficult to detect as malicious threats, allowing attackers to establish persistent access without raising immediate alarms.
For instance, a campaign on February 5 saw attackers impersonating the IRS. They distributed emails containing a deceptive “Transcript Viewer” button. Clicking this button led victims to a Bitbucket-hosted executable that surreptitiously installed N-able RMM on their machines. To enhance the illusion of legitimacy, the attackers even included a genuine IRS phone number within the fraudulent email.
TA2730: Targeting Financial Credentials
Separately, TA2730, a credential phishing group that Proofpoint has been tracking since June 2025, has been active with campaigns impersonating investment firms. These campaigns typically urge targets to update their W-8BEN tax forms. In February 2026, TA2730 impersonated Swissquote in Switzerland and Questrade in Canada. Victims were directed to meticulously crafted fake login pages designed to harvest account credentials for illicit financial gain. More details on these findings can be found in Proofpoint’s security brief on tax scams.
TA4922’s Multi-Step Social Engineering Approach
Among the various threat actors identified this year, TA4922 is notable for its deliberate, multi-stage attack methodology. Proofpoint has been tracking this financially motivated group since spring 2025, and it is believed to be based in East Asia, likely comprising Chinese-speaking individuals.
The primary objective of TA4922 is to gain remote access to victim systems, which they then exploit for fraud, data theft, or to sell access to other cybercriminals. This group predominantly deploys malware from the Winos4.0 ecosystem, also known as ValleyRAT, utilizing a combination of loaders and information stealers.
What makes TA4922 particularly dangerous is its two-phase approach. The initial phase involves sending an impersonation email, often posing as a tax authority, claiming the recipient has unresolved tax obligations and requesting a mobile phone number for further discussion. Once this private communication channel is established, the actor escalates the attack by pretending to be a senior finance executive within the victim’s company, subsequently delivering malicious files or links outside the email environment. In early March 2026, a related campaign spoofed the Inland Revenue Department, leading victims to download an information stealer that remains under active investigation by Proofpoint researchers.
What You Should Do
- For Organizations: Implement and strictly enforce allow-listing policies for RMM tools to ensure that only approved software can operate on corporate networks. This significantly reduces the risk of unauthorized remote access applications going undetected.
- For Employees: Participate in regular cybersecurity awareness training, particularly focusing on tax-season phishing techniques. Learn to critically evaluate emails that request personal contact details or prompt action on tax filings via external links.
- Verify Unsolicited Communications: Always verify the legitimacy of any unsolicited message from a supposed tax authority or HR contact by reaching out through official channels (e.g., official websites, publicly listed phone numbers) before taking any action or clicking on any links.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.