A new Emotet phishing campaign is exploiting tax season by purporting to be the Internal Revenue Service to compromise unsuspecting victims and conduct further malicious activity, according to security researchers at Malwarebytes and Palo Alto Networks Unit42.

In one of the campaigns, the threat actors send emails with the subject “IRS Tax Forms W-9,” while purporting to be an “Inspector” from the IRS. The phishing email contains a ZIP archive named “W-9 form.zip” that contains a malicious Word document, that when interacted with ultimately leads to the delivery of Emotet. Another campaign leverages OneNote to infect users with Emotet using a similar “W-9” theme. Members are encouraged to remind users of the tax-related scams that are prevalent this time of year. Read more at BleepingComputer here.

Additionally, as Emotet and IcedID threat actors are believed to be partnering to expand their capability, it should be noted that researchers have recently identified two new IcedID variants that may be leveraging existing Emotet infections to test functionality. While IcedID malware was historically used for banking fraud, in recent months threat actors have been using new variants, tracked as “Lite” (first seen in November 2022) and “Forked” (first observed in February 2023) to gain initial access to victim networks. Read more at BleepingComputer here.

Additional WaterISAC Reporting on Emotet and IcedID:

• Threat Awareness – Keep Our Eyes on Emotet
• Emotet Employing New Tactics to Evade Detection and Infect more Victims
• Threat Awareness – Emotet Malware Being Distributed Via Microsoft OneNote
• Threat Awareness – IcedID Banking Trojan Changes Strategy to Zoom Phishing Sites
• DHS Report on Threat Actors Exploiting OneNote to Deliver Qakbot and IcedID Malware