Home » Security Bloggers Network » Tax Season Threat Surge

Tax Season Threat Surge

by Veriti Research on April 1, 2025

Veriti Research has identified a significant rise in tax-related malware samples across multiple platforms. The research team discovered malware samples targeting Android, Linux, and Windows, all connected to the same adversary operating from a single IP address.

We believe the attacker is running multiple parallel campaigns and using “Malware-as-a-Service” tools to target various platforms simultaneously, thereby increasing their chances of success.

Campaign 1

The malicious activity is traced back to the IP address 45.134.255[.]90, associated with a host named WINDOWS-U65VHC9, which is likely orchestrating the malware campaigns. Based on the machine’s timezone (UTC+1), the attacker appears to be operating from Europe.

Malware Used by the Attacker (Focused on ‘Tax Attacks’):

Potential Android Malware – CraxsRAT

File Name: Signed Form 8879

Creation Date: March 13, 2025

VirusTotal Link

Possibly related to CraxsRAT – an Android Remote Access Trojan (RAT)

Related sample Link

Communicates with IP: 45.134.255[.]90

Reference about the malware “Imagine if someone could secretly control your phone! That’s the scary reality with CraxsRat, a hidden Android app that gives bad guys the keys to your digital kingdom. This sneaky malware lets them peek at your messages, steal your passwords, and even track your location!”

Windows Malware – Ratty RAT

File Name: Tax_Documents_PDF.jar

Hybrid Analysis Link

Communicates with IP: 45.134.255[.]90

Additional Windows Samples:

Tax_Documents_PDF.zip Link

MARY_2024_W2_1040_PDF.jar Link

Campaign 2: Rhadamanthys Returns

File Name: 1099-NEC.pdf

Hybrid Analysis Link

VirusTotal Link

As described in another blog, this malware uses valid domains to boost its reputation and evade detection.

http://www.starwars.com/

http://www.target.com/

http://linkedin.com/

https://amazon.com/

https://aui-cdn.atlassian.com/

Malware IoCs

Example hashes:

8992cb472893d37b697f4d4d6a9d3a8f1a59f3cc9172d242f30945d0861e42f9

b2f7a9cffb3ad32b31def63dc69827d26af87036c6b0f092d7ed742cd5d067d6

Malicious domains:

marchlkalanew6.blogspot[.]com/lundchikha.doc

kalacpamarchclean.blogspot[.]com/chig.doc

Malicious IPs:

185.208.159[.]170

When pivoting on files communicating with this malicious IP, several tax-themed malicious files were found:

1694b2792731196891f05860b063fc3fe9dd1b54b2280839be3f1bb6793283e5 – W2-Linda_Williams.pdf.js

3d00953ec06a4a41d0f4c0e7edd4c2c421129102663eff205d4b80eae75d4ba0 – James_Smith_Tax_Document_2024.pdf.js

83fa16f72c36b0003cdc4dd717f6da1f3a4526b3ab5300f6a1df9a7a304e4946 – 4BQV7_James_Smith_Tax_Document_2024.pdf.js

f757e2972b57bbc47c107579a74728fa387de94dbecf0124f893a394d80c1b30 – Elizabeth_Jones_Tax_Document_2024.pdf(1).js

Older Campaigns and Office Vulnerabilities

Older campaigns have exploited the following vulnerabilities:

CVE-2017-0199

CVE-2021-40444

Despite being patched, these vulnerabilities are often still present in user environments, especially for consumers who lack enterprise-grade patch management tools.

Malicious Files Utilizing those Vulnerabilities Samples:

File Name	SHA256	Tags	CVE
income_tax_and_benefit_return_2021.docx	d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745	#apt #keylogger	CVE-2017-0199
Employees_Contact_Audit_Oct_2021.docx	ed2b9e22aef3e545814519151528b2d11a5e73d1b2119c067e672b653ab6855a	#lds #apt	CVE-2021-40444
Employee_W2_Form.docx	679bbe0c50754853978a3a583505ebb99bce720cf26a6aaf8be06cd879701ff1	#lds #apt	CVE-2021-40444