Veriti Research has identified a significant rise in tax-related malware samples across multiple platforms. The research team discovered malware samples targeting Android, Linux, and Windows, all connected to the same adversary operating from a single IP address.
We believe the attacker is running multiple parallel campaigns and using “Malware-as-a-Service” tools to target various platforms simultaneously, thereby increasing their chances of success.
Campaign 1
The malicious activity is traced back to the IP address 45.134.255[.]90, associated with a host named WINDOWS-U65VHC9, which is likely orchestrating the malware campaigns. Based on the machine’s timezone (UTC+1), the attacker appears to be operating from Europe.
Malware Used by the Attacker (Focused on ‘Tax Attacks’):
Potential Android Malware – CraxsRAT
- File Name: Signed Form 8879
- Creation Date: March 13, 2025
- VirusTotal Link
- Possibly related to CraxsRAT – an Android Remote Access Trojan (RAT)
- Related sample Link
- Communicates with IP: 45.134.255[.]90
Reference about the malware “Imagine if someone could secretly control your phone! That’s the scary reality with CraxsRat, a hidden Android app that gives bad guys the keys to your digital kingdom. This sneaky malware lets them peek at your messages, steal your passwords, and even track your location!”
Windows Malware – Ratty RAT
- File Name: Tax_Documents_PDF.jar
- Hybrid Analysis Link
- Communicates with IP: 45.134.255[.]90
Additional Windows Samples:
- Tax_Documents_PDF.zip Link
- MARY_2024_W2_1040_PDF.jar Link
Campaign 2: Rhadamanthys Returns
File Name: 1099-NEC.pdf
- Hybrid Analysis Link
- VirusTotal Link
As described in another blog, this malware uses valid domains to boost its reputation and evade detection.
Malware IoCs
Example hashes:
- 8992cb472893d37b697f4d4d6a9d3a8f1a59f3cc9172d242f30945d0861e42f9
- b2f7a9cffb3ad32b31def63dc69827d26af87036c6b0f092d7ed742cd5d067d6
Malicious domains:
- marchlkalanew6.blogspot[.]com/lundchikha.doc
- kalacpamarchclean.blogspot[.]com/chig.doc
Malicious IPs:
- 185.208.159[.]170
When pivoting on files communicating with this malicious IP, several tax-themed malicious files were found:
- 1694b2792731196891f05860b063fc3fe9dd1b54b2280839be3f1bb6793283e5 – W2-Linda_Williams.pdf.js
- 3d00953ec06a4a41d0f4c0e7edd4c2c421129102663eff205d4b80eae75d4ba0 – James_Smith_Tax_Document_2024.pdf.js
- 83fa16f72c36b0003cdc4dd717f6da1f3a4526b3ab5300f6a1df9a7a304e4946 – 4BQV7_James_Smith_Tax_Document_2024.pdf.js
- f757e2972b57bbc47c107579a74728fa387de94dbecf0124f893a394d80c1b30 – Elizabeth_Jones_Tax_Document_2024.pdf(1).js
Older Campaigns and Office Vulnerabilities
Older campaigns have exploited the following vulnerabilities:
- CVE-2017-0199
- CVE-2021-40444
Despite being patched, these vulnerabilities are often still present in user environments, especially for consumers who lack enterprise-grade patch management tools.
Malicious Files Utilizing those Vulnerabilities Samples:
| File Name | SHA256 | Tags | CVE |
| income_tax_and_benefit_return_2021.docx | d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745 | #apt #keylogger | CVE-2017-0199 |
| Employees_Contact_Audit_Oct_2021.docx | ed2b9e22aef3e545814519151528b2d11a5e73d1b2119c067e672b653ab6855a | #lds #apt | CVE-2021-40444 |
| Employee_W2_Form.docx | 679bbe0c50754853978a3a583505ebb99bce720cf26a6aaf8be06cd879701ff1 | #lds #apt | CVE-2021-40444 |
Phishing Campaign
In recent weeks, Veriti Research observed numerous newly created phishing domains potentially linked to upcoming tax-themed attacks.
Interestingly, some domains have shown initial activity originating from India, despite being designed to target U.S. IRS-related users.
High Severity Domains:
- irs-government[.]com
- Irstaxrefund[.]info
- Irstaxrefund[.]online
- mygov-taxclaim[.]com
- www4irs-gov[.]com
- irs-gov[.]info
- crypto-tax[.]info
- print-my-social-security-1099-us-en-9030592[.]live
- gov-tax[.]cyou
- Taxatogov[.]com
Medium Severity Domains:
- print-my-social-security-1099-us-en-6722402[.]zone
- preparegov-mytax2025[.]com
- irs-crypto[.]info
- Notaxesfortrump[.]com
- Cryptobillionheirs[.]com
Veriti Research has also observed additional indicators that may be tied to emerging campaigns aiming to exploit the tax season.
Suspicious Domains:
- w-2payroll[.]com
- w-2free[.]com
- Taxdemandgov[.]com
- Donttaxmyira[.]com
- Donottaxmyira[.]com
Associated IP Address:
- 15.197.148[.]33
Veriti’s research team continues to monitor and track these threats during the upcoming tax season.
