Full Report
Microsoft is warning of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal credentials. "These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection," Microsoft said in a report shared with The
Analysis Summary
# Tool/Technique: RaccoonO365 (Phishing-as-a-Service Platform)
## Overview
RaccoonO365 is an e-crime platform delivered via phishing-as-a-service (PhaaS) used by threat actors, notably in tax-themed campaigns, to mimic Microsoft 365 login pages to facilitate credential theft.
## Technical Details
- Type: Tool (Phishing-as-a-Service Platform)
- Platform: Web/Online Service (Used to create phishing pages targeting primary platforms like Windows/Microsoft 365 users)
- Capabilities: Deployment of realistic phishing pages, credential harvesting.
- First Seen: Early December 2024
## MITRE ATT&CK Mapping
*Note: As a PhaaS platform, its use maps broadly to initial access and credential harvesting.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Indirectly, by capturing credentials upon entry)
## Functionality
### Core Capabilities
- Provides infrastructure for creating and hosting convincing phishing pages.
- Specifically designed to impersonate Microsoft 365 interfaces to harvest user credentials.
### Advanced Features
- Utilized in multi-stage attacks involving QR codes and redirects to evade detection (as seen in tax-themed campaigns).
## Indicators of Compromise
- **File Hashes:** N/A (Platform Infrastructure)
- **File Names:** N/A (Platform)
- **Registry Keys:** N/A
- **Network Indicators:** Associated with links/pages hosted through the RaccoonO365 infrastructure. (Specific URLs are dynamic and provider-dependent).
- **Behavioral Indicators:** Redirection to login credential entry points disguised as Microsoft services.
## Associated Threat Actors
- Threat actors deploying widespread tax-themed phishing campaigns (February 2025).
## Detection Methods
- **Signature-based detection:** Detecting known landing page structures or unique identifiers associated with RaccoonO365 infrastructure.
- **Behavioral detection:** Monitoring for user interactions leading to credential submission on suspicious external domains mimicking M365.
- **YARA rules:** Not specified for the platform itself.
## Mitigation Strategies
- Adopt phishing-resistant authentication methods (e.g., MFA/Phishing-resistant MFA).
- Use browsers with robust malicious website blocking capabilities.
- Train users to recognize credentials harvesting attempts, especially those delivered via shorteners or QR codes.
## Related Tools/Techniques
- Other credential harvesting mechanisms like Browser-in-the-Browser (BitB) technique.
***
# Tool/Technique: Latrodectus
## Overview
Latrodectus is a malware loader that has recently evolved (Latrodectus 1.9) and is being deployed in campaigns targeting initial access, often following exploitation via initial phishing stages or delivery through other loaders like BruteRatel C4.
## Technical Details
- Type: Malware Loader
- Platform: Windows
- Capabilities: Initial access delivery, persistence establishment, deployment of secondary malware.
- First Seen: Emerged prior to February 2025; version 1.9 observed in February 2025.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Reintroduced in v1.9)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Loading and deploying secondary stages of malware (often deployed/channeled via BRc4).
- Establishing persistence on compromised hosts.
### Advanced Features
- Version 1.9 reintroduced persistence mechanisms (`scheduled task`).
- Added command 23, enabling the execution of Windows commands via `cmd.exe /c`.
## Indicators of Compromise
- **File Hashes:** Unknown from context.
- **File Names:** Associated with initial delivery mechanisms like MSI files.
- **Registry Keys:** Associated with persistence mechanisms (likely Run keys/Tasks).
- **Network Indicators:** Used as a conduit for secondary malware C2.
- **Behavioral Indicators:** Creation of scheduled tasks for persistence, execution of `cmd.exe` commands upon remote instruction.
## Associated Threat Actors
- Storm-0249
## Detection Methods
- **Signature-based detection:** Analyzing payloads delivered by BRc4 or via the observed infection chains.
- **Behavioral detection:** Detecting the creation of new scheduled tasks that point to suspicious payloads or unusual command execution via `cmd.exe`.
## Mitigation Strategies
- Restrict execution of MSI files from untrusted sources.
- Implement strong endpoint detection and response (EDR) to catch persistence mechanism creation.
- Block known C2 communications.
## Related Tools/Techniques
- BruteRatel C4 (Used to deliver Latrodectus in one observed chain).
- Remcos RAT (Deployed alongside Latrodectus in related tax campaigns).
***
# Tool/Technique: BruteRatel C4 (BRc4)
## Overview
BruteRatel C4 (BRc4) is a red-teaming tool that is being abused by threat actors to deliver subsequent malware stages, such as Latrodectus loader.
## Technical Details
- Type: Tool (Red Team/Post-Exploitation Framework, used maliciously)
- Platform: Windows
- Capabilities: Adversary simulation, command execution, payload delivery.
- First Seen: July 2022 (Initial disclosure/analysis)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
## Functionality
### Core Capabilities
- Facilitating the execution of high-privilege commands.
- Delivering payloads (e.g., Latrodectus) in victim environments.
### Advanced Features
- Implied use of stealth or evasion techniques common to red-teaming frameworks to avoid security solutions.
## Indicators of Compromise
- **File Hashes:** Unknown from context.
- **File Names:** Associated with the initial stages of execution (e.g., MSI installer phase).
- **Network Indicators:** Used during C2 communication phases, often using legitimate or obfuscated channels.
- **Behavioral Indicators:** Observed coordinating the deployment of Latrodectus via an MSI file.
## Associated Threat Actors
- Storm-0249 (Uses BRc4 to deliver Latrodectus).
## Detection Methods
- EDR monitoring for behaviors characteristic of sophisticated C2/red-teaming frameworks, even when masquerading as legitimate tools.
- Detection of suspicious MSI deployment chains.
## Mitigation Strategies
- Strict application control to limit execution of unauthorized executables.
- Monitoring for misuse of legitimate system utilities often leveraged by tools like BRc4.
## Related Tools/Techniques
- Latrodectus (Delivered by BRc4 in context).
***
# Tool/Technique: Remcos RAT
## Overview
Remcos RAT is a comprehensive Remote Access Trojan used to gain full control over compromised systems, often deployed as a secondary payload following initial infection chains involving GuLoader.
## Technical Details
- Type: Malware (Remote Access Trojan - RAT)
- Platform: Windows
- Capabilities: Remote control, file system access, command execution.
- First Seen: Initial versions appeared around 2017.
## MITRE ATT&CK Mapping
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- **TA0007 - Discovery**
- T1082 - System Information Discovery
## Functionality
### Core Capabilities
- Providing remote access and control to the attacker.
### Advanced Features
- Deployment via infection chains initiated by malicious ZIP files containing shortcut links (.lnk) that execute PowerShell scripts.
## Indicators of Compromise
- **File Hashes:** Unknown from context.
- **File Names:** Preceded by ZIP files containing mimic tax document .lnk files.
- **Network Indicators:** C2 communication channels used by Remcos.
- **Behavioral Indicators:** Commands executed via PowerShell leading to the download of GuLoader, which then installs Remcos.
## Associated Threat Actors
- Threat actors leveraging GuLoader infection chains in tax-themed phishing.
## Detection Methods
- Signature matching for Remcos binaries.
- Behavioral analysis detecting remote control session establishment and anomalous file or system interaction.
## Mitigation Strategies
- Disable execution of LNK files from untrusted sources (e.g., email).
- Use network egress filtering to block known Remcos C2 IPs/domains.
## Related Tools/Techniques
- GuLoader (Used to deliver Remcos in this specific chain).
***
# Tool/Technique: AHKBot
## Overview
AHKBot is malware, likely utilizing AutoHotKey, observed in tax-themed phishing campaigns that specializes in capturing screenshots of the compromised host for subsequent exfiltration.
## Technical Details
- Type: Malware (Likely AutoHotKey based)
- Platform: Windows
- Capabilities: Screenshot capture, data exfiltration.
- First Seen: Recent activity noted in February 2025 campaigns.
## MITRE ATT&CK Mapping
- **TA0007 - Discovery**
- T1057 - Screen Capture
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Downloading and running an AutoHotKey script after initial MSI execution.
- Capturing desktop screenshots.
### Advanced Features
- Exfiltrating captured visual data to a remote server.
## Indicators of Compromise
- **File Hashes:** Unknown from context.
- **File Names:** Associated with MSI files that launch the AHK script.
- **Network Indicators:** Remote servers receiving screenshot data.
- **Behavioral Indicators:** Execution of AutoHotKey scripts initiated by MSI files, and high frequency of screen capture activity.
## Associated Threat Actors
- Threat actors leveraging AHKBot in tax-themed campaigns.
## Detection Methods
- Monitoring for the execution of AutoHotKey scripts originating from suspicious MSIs.
- EDR focused on processes rapidly taking and sending screenshots.
## Mitigation Strategies
- Disable macro/script execution from untrusted Office/Installer documents.
## Related Tools/Techniques
- GuLoader (Mentioned in proximity, suggesting similar delivery vectors might be used).
***
# Tool/Technique: GuLoader
## Overview
GuLoader is a downloader designed to frequently obfuscate its final payload, used here to deceive users into downloading a ZIP file which, through multiple steps (.lnk, .bat, PowerShell), ultimately deploys GuLoader, which then installs Remcos RAT.
## Technical Details
- Type: Malware (Downloader/Dropper)
- Platform: Windows
- Capabilities: Payload obfuscation, multi-stage download execution, initial malware stage delivery.
- First Seen: Late 2022 (Analysis referenced).
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (Executing .lnk files)
## Functionality
### Core Capabilities
- Initiating a complex multi-stage download chain following the opening of a malicious PDF attachment containing a URL leading to a ZIP file.
- Downloading and executing the final payload (Remcos RAT).
### Advanced Features
- Use of `.lnk` files masquerading as tax documents, which then employ PowerShell to download sequential components (`.pdf`, `.bat`).
## Indicators of Compromise
- **File Hashes:** Unknown from context.
- **File Names:** Malicious ZIP files containing `.lnk` files mimicking tax documents.
- **Network Indicators:** URLs leading to the ZIP download.
- **Behavioral Indicators:** Execution of `.lnk` files that spawn PowerShell, which then downloads subsequent components.
## Associated Threat Actors
- Threat actors using GuLoader in tax-themed attacks against organizations across various sectors.
## Detection Methods
- Blocking execution of scripts launched from shortcut files (.lnk).
- Signature detection for the GuLoader executable.
## Mitigation Strategies
- Disable LNK file execution via email attachments if possible.
- Ensure network traffic inspection can follow multi-stage PowerShell command execution branches.
## Related Tools/Techniques
- Remcos RAT (Final payload in this chain).
- PowerShell (Used heavily in the GuLoader execution chain).