Security Brief: Threat Actors Take Taxes into Account

    Wednesday, January 29, 2025 In: Threat Research Print

    Date: 01/29/2025

    Severity: Critical 

    Summary

    Our researchers have observed a rise in campaigns and malicious domains impersonating tax agencies and financial organizations. This trend aligns with the annual surge in tax-related threats typically seen from December to April, coinciding with tax deadlines in the U.K. and U.S. Phishing lures in these campaigns often mimic government agencies or financial institutions that users interact with for tax filing or business-related documentation submission.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    https://t.co/DL9vqURq7G 

    https://clearlivate.com/xxx/rest.html 

    https://pub-cbdc9a06673740a6aae9a5c61db6da30.r2.dev/indexqu.html 

    https://fotolap.com/.wp-admin/cgi-/intuit/inuit4// 

    https://fotolap.com/.wp-admin/cgi-/intuit/inuit4//res.php 

    https://fotolap.com/.wp-admin/cgi-/intuit/inuit4//panel.php 

    https://drakesoftware.blob.core.windows.net/drakesoftware/Invoice%2352223.html?sp=r&st=2025-01-16T16:09:33Z&se=2025-02-08T00:09:33Z&spr=https&sv=2022-11-02&sr=b&sig=LCXYvo386dH3YpoXy2j6l%2BkIKQyCRFTt1nW3VLhIwko%3D 

    https://cpa01-14-25.blogspot.com///////nunuchabutra.pdf 

    https://cpa01-14-25.blogspot.com/atom.xml 

    https://bitbucket.org/!api/2.0/snippets/nippleschusu/o7rE59/a424483e2d592dcf896a00c8c104be8d1de41925/files/cpa1-26newramayan.txt 

    https://185.208.159.170:8654 

    https://7fasl.ir/gov/ 

    https://a-line.top/admin/gov/ 

    https://www.houzhenkun.com/gov/ 

    https://yungbucksbbq.com/wen/approve/ 

    https://revolut.me/swisstaxadm 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls :

    userdomainname like "https://fotolap.com/.wp-admin/cgi-/intuit/inuit4//" or url like "https://fotolap.com/.wp-admin/cgi-/intuit/inuit4//" or userdomainname like "https://fotolap.com/.wp-admin/cgi-/intuit/inuit4//res.php" or url like "https://fotolap.com/.wp-admin/cgi-/intuit/inuit4//res.php" or userdomainname like "https://cpa01-14-25.blogspot.com/atom.xml" or url like "https://cpa01-14-25.blogspot.com/atom.xml" or userdomainname like "https://yungbucksbbq.com/wen/approve/" or url like "https://yungbucksbbq.com/wen/approve/" or userdomainname like "https://pub-cbdc9a06673740a6aae9a5c61db6da30.r2.dev/indexqu.html" or url like "https://pub-cbdc9a06673740a6aae9a5c61db6da30.r2.dev/indexqu.html" or userdomainname like "https://185.208.159.170:8654" or url like "https://185.208.159.170:8654" or userdomainname like "https://7fasl.ir/gov/" or url like "https://7fasl.ir/gov/" or userdomainname like "https://clearlivate.com/xxx/rest.html" or url like "https://clearlivate.com/xxx/rest.html" or userdomainname like "https://t.co/DL9vqURq7G" or url like "https://t.co/DL9vqURq7G" or userdomainname like "https://fotolap.com/.wp-admin/cgi-/intuit/inuit4//panel.php" or url like "https://fotolap.com/.wp-admin/cgi-/intuit/inuit4//panel.php" or userdomainname like "https://drakesoftware.blob.core.windows.net/drakesoftware/Invoice%2352223.html?sp=r&st=2025-01-16T16:09:33Z&se=2025-02-08T00:09:33Z&spr=https&sv=2022-11-02&sr=b&sig=LCXYvo386dH3YpoXy2j6l%2BkIKQyCRFTt1nW3VLhIwko%3D" or url like "https://drakesoftware.blob.core.windows.net/drakesoftware/Invoice%2352223.html?sp=r&st=2025-01-16T16:09:33Z&se=2025-02-08T00:09:33Z&spr=https&sv=2022-11-02&sr=b&sig=LCXYvo386dH3YpoXy2j6l%2BkIKQyCRFTt1nW3VLhIwko%3D" or userdomainname like "https://cpa01-14-25.blogspot.com///////nunuchabutra.pdf" or url like "https://cpa01-14-25.blogspot.com///////nunuchabutra.pdf" or userdomainname like "https://bitbucket.org/!api/2.0/snippets/nippleschusu/o7rE59/a424483e2d592dcf896a00c8c104be8d1de41925/files/cpa1-26newramayan.txt" or url like "https://bitbucket.org/!api/2.0/snippets/nippleschusu/o7rE59/a424483e2d592dcf896a00c8c104be8d1de41925/files/cpa1-26newramayan.txt" or userdomainname like "https://a-line.top/admin/gov/" or url like "https://a-line.top/admin/gov/" or userdomainname like "https://www.houzhenkun.com/gov/" or url like "https://www.houzhenkun.com/gov/" or userdomainname like "https://revolut.me/swisstaxadm" or url like "https://revolut.me/swisstaxadm"

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-take-taxes-account


    Tags

    PhishingUnited StatesUnited KingdomFinancial ServicesGovernment Services and FacilitiesTAXMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.