BruteRatel C4 and Latrodectus delivered in tax and IRS-themed phishing emails<\/h2>\n
On February 6, 2025, Microsoft observed a phishing campaign that involved several thousand emails targeting the United States. The campaign used tax-themed emails that attempted to deliver the red-teaming tool BRc4 and Latrodectus malware. Microsoft attributes this campaign to Storm-0249, an access broker active since 2021 and known for distributing, at minimum, BazaLoader, IcedID, Bumblebee, and Emotet malware. The following lists the details of the phishing emails used in the campaign:<\/p>\n
Example email subjects:<\/p>\n
- \n
- Notice: IRS Has Flagged Issues with Your Tax Filing<\/li>\n
- Unusual Activity Detected in Your IRS Filing<\/li>\n
- Important Action Required: IRS Audit<\/li>\n<\/ul>\n
Example PDF attachment names:<\/p>\n
- \n
- lrs_Verification_Form_1773.pdf<\/li>\n
- lrs_Verification_Form_2182.pdf<\/li>\n
- lrs_Verification_Form_222.pdf<\/li>\n<\/ul>\n
The emails contained a PDF attachment with an embedded DoubleClick URL that redirected users to a Rebrandly URL shortening link. That link in turn redirected the browser to a landing site that displayed a fake DocuSign page hosted on a domain masquerading as DocuSign. When users clicked the Download button on the landing page, the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor:<\/p>\n
- \n
- If access was permitted<\/strong>, the user received a JavaScript file from Firebase, a platform sometimes misused by cybercriminals to host malware. If executed, this JavaScript file downloaded a Microsoft Software Installer (MSI) containing BRc4 malware, which then installed Latrodectus, a malicious tool used for further attacks.<\/li>\n
- If access was restricted<\/strong>, the user received a benign PDF file from royalegroupnyc[.]com<\/em>. This served as a decoy to evade detection by security systems.<\/li>\n<\/ul>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image.webp\")
Figure 1. Sample phishing email that claims to be from the IRS<\/figcaption><\/figure>\n ![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-1.webp\")
Figure 2. PDF attachment masquerading as a DocuSign document<\/figcaption><\/figure>\n Latrodectus is a loader primarily used for initial access and payload delivery. It features dynamic command-and-control (C2) configurations, anti-analysis features such as minimum process count and network adapter check, C2 check-in behavior that splits POST data between the Cookie header and POST data. Latrodectus 1.9, the malware\u2019s latest evolution first observed in February 2025, reintroduced scheduled tasks for persistence and added the ability to run Windows commands via the command prompt.<\/p>\n
BRc4 is an advanced adversary simulation and red-teaming framework designed to bypass modern security defenses, but it has also been exploited by threat actors for post-exploitation activities and C2 operations.<\/p>\n
Phishing email with QR code in a PDF links to RaccoonO365 infrastructure<\/h2>\n
Between February 12 and 28, 2025, tax-themed phishing emails were sent to over 2,300 organizations, mostly in the United States in the engineering, IT, and consulting sectors. The emails had an empty body but contained a PDF attachment with a QR code and subjects indicating that the documents needed to be signed by the recipient. The QR code pointed to a hyperlink associated with a RaccoonO365 domain: shareddocumentso365cloudauthstorage[.]com<\/em>. The URL included the recipient email as a query string parameter, so the PDF attachments were all unique. RaccoonO365 is a PhaaS platform that provides phishing kits that mimic Microsoft 365 sign-in pages to steal credentials. The URL was likely a phishing page used to collect the targeted user\u2019s credentials.<\/p>\n
The emails were sent with a variety of display names, which are the names that recipients see in their inboxes, to make the emails appear as if they came from an official source. The following display names were observed in these campaigns:<\/p>\n
- \n
- EMPLOYEE TAX REFUND REPORT<\/li>\n
- Project Funding Request Budget Allocation<\/li>\n
- Insurance Payment Schedule Invoice Processing<\/li>\n
- Client Contract Negotiation Service Agreement<\/li>\n
- Adjustment Review Employee Compensation<\/li>\n
- Tax Strategy Update Campaign Goals<\/li>\n
- Team Bonus Distribution Performance Review<\/li>\n
- proposal request<\/li>\n
- HR|Employee Handbooks<\/li>\n<\/ul>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-2.webp\")
Figure 3. Screenshot of the opened PDF with the QR code<\/figcaption><\/figure>\n AHKBot delivered in IRS-themed phishing emails<\/h2>\n
On February 13, 2025, Microsoft observed a campaign using an IRS-themed email that targeted users in the United States. The email\u2019s subject was IRS Refund Eligibility Notification<\/em> and the sender was jessicalee@eboxsystems[.]com<\/em>.<\/p>\n
The email contained a hyperlink that directed users to download a malicious Excel file. The link (hxxps:\/\/business.google[.]com\/website_shared\/launch_bw[.]html?f=hxxps:\/\/historyofpia[.]com\/Tax_Refund_Eligibility_Document[.]xlsm<\/em>) abused an open redirector on what appeared to be a legitimate Google Business page. It redirected users to historyofpia[.]com, <\/em>which was likely compromised to host the malicious Excel file. If the user opened the Excel file, they were prompted to enable macros, and if the user enabled macros, a malicious MSI file was downloaded and run.<\/p>\n
The MSI file contained two files. The first file, AutoNotify.exe<\/em>, is a legitimate copy of the executable used to run AutoHotKey script files. The second file, AutoNotify.ahk<\/em>, is an AHKBot Looper script which is a simple infinite loop that receives and runs additional AutoHotKey scripts. The AHKBot Looper was in turn observed downloading the Screenshotter module, which includes code to capture screenshots from the compromised device. Both Looper and Screenshotter used the C2 IP address 181.49.105[.]59 to receive commands and upload screenshots.<\/p>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-3.webp\")
Figure 4. Screenshot of the email showing the link to download a malicious Excel file<\/figcaption><\/figure>\n ![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-4.webp\")
Figure 5. Macro code to install the malicious MSI file from hxxps:\/\/acusense[.]ae\/umbrella\/<\/figcaption><\/figure>\n GuLoader and Remcos delivered in tax-themed phishing emails<\/h2>\n
On March 3, 2025, Microsoft observed a tax-themed phishing campaign targeting CPAs and accountants in the United States, attempting to deliver GuLoader and Remcos malware. The campaign, which consisted of less than 100 emails, began with a benign rapport-building email from a fake persona asking for tax filing services due to negligence by a previous CPA. If the recipient replied, they would then receive a second email with the malicious PDF. This technique increases the click rates on the malicious payloads due to the established rapport between attacker and recipient.<\/p>\n
The malicious PDF attachment contained an embedded URL. If the attachment was opened and the URL clicked, a ZIP file was downloaded from Dropbox. The ZIP file contained various .lnk<\/em> files set up to mimic tax documents. If launched by the user, the .lnk<\/em> file uses PowerShell to download a PDF and a .bat<\/em> file. The .bat<\/em> file in turn downloaded the GuLoader executable, which then installed Remcos.<\/p>\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-5.webp\")
Figure 6. Sample phishing email shows the original benign request for tax filing services, followed by another email containing a malicious PDF attachment if the target replies.<\/figcaption><\/figure>\n ![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6.webp\")
Figure 7. The PDF attachment contains a prominent blue \u201cDownload\u201d button that links to download of the malicious payload. The button is overlaid over a blurred background mimicking a \u201cW-2\u201d tax form, which further contributes to the illusion of the attachment being a legitimate tax file.<\/figcaption><\/figure>\n GuLoader<\/strong> is a highly evasive malware downloader that leverages encrypted shellcode, process injection, and cloud-based hosting services to deliver various payloads, including RATs and infostealers. It employs multiple anti-analysis techniques, such as sandbox detection and API obfuscation, to bypass security defenses and ensure successful payload execution.<\/p>\n
Remcos<\/strong> is a RAT that provides attackers with full control over compromised systems through keylogging, screen capturing, and process manipulation while employing stealth techniques to evade detection.<\/p>\n
Mitigation and protection guidance<\/h2>\n
Microsoft recommends the following mitigations to reduce the impact of this threat.<\/p>\n
- \n
- Educate users about protecting personal and business information<\/a> in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.<\/li>\n
- Turn on Zero-hour auto purge (ZAP)<\/a> in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.<\/li>\n
- Pilot and deploy phishing-resistant authentication methods<\/a> for users.<\/li>\n
- Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA<\/a> from all devices in all locations at all times.<\/li>\n
- Implement Entra ID Conditional Access authentication strength<\/a> to require phishing-resistant authentication for employees and external users for critical apps.<\/li>\n
- Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen<\/a>, which identifies and blocks malicious websites including phishing sites, scam sites, and sites that contain exploits and host malware.<\/li>\n
- Educate users about using the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.<\/li>\n
- Enable network protection<\/a> to prevent applications or users from accessing malicious domains and other malicious content on the internet.<\/li>\n
- Configure Microsoft Defender for Office 365 to recheck links on click<\/a>. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam<\/a> and anti-malware<\/a> protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.<\/li>\n
- Turn on cloud-delivered protection<\/a> in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.<\/li>\n
- Enable investigation and remediation<\/a> in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.<\/li>\n
- Run endpoint detection and response (EDR) in block mode<\/a>, so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.<\/li>\n<\/ul>\n
Microsoft Defender XDR detections<\/h2>\n
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n
Microsoft Defender Antivirus<\/h3>\n
Microsoft Defender Antivirus detects threat components used in the campaigns shared in this blog as the following:<\/p>\n
Microsoft Defender for Endpoint<\/h3>\n
The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n
- \n
- Possible Latrodectus activity<\/li>\n
- Brute Ratel toolkit related behavior<\/li>\n
- A file or network connection related to ransomware-linked actor Storm-0249 detected<\/li>\n
- Suspicious phishing activity detected<\/li>\n<\/ul>\n
Microsoft Defender for Office 365<\/h3>\n
Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. These alerts, however, can be triggered by unrelated threat activity.<\/p>\n
- \n
- A potentially malicious URL click was detected <\/li>\n
- Email messages containing malicious URL removed after delivery<\/li>\n
- Email messages removed after delivery<\/li>\n
- A user clicked through to a potentially malicious URL<\/li>\n
- Suspicious email sending patterns detected<\/li>\n
- Email reported by user as malware or phish<\/li>\n<\/ul>\n
Defender for Office 365 also detects the malicious PDF attachments used in the phishing campaign launched by Storm-0249.<\/p>\n
Microsoft Security Copilot<\/h2>\n
Security Copilot customers can use the standalone experience to create their own prompts<\/a> or run the following pre-built promptbooks<\/a> to automate incident response or investigation tasks related to this threat:<\/p>\n
- \n
- Incident investigation<\/li>\n
- Microsoft User analysis<\/li>\n
- Threat actor profile<\/li>\n
- Threat Intelligence 360 report based on MDTI article<\/li>\n
- Vulnerability impact assessment<\/li>\n<\/ul>\n
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.<\/p>\n
Threat intelligence reports<\/h2>\n
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n
Microsoft Defender Threat Intelligence<\/h3>\n
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n
Hunting queries<\/h2>\n
Microsoft Sentinel<\/h3>\n
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.<\/p>\n
Furthermore, listed below are some sample queries utilizing Sentinel ASIM Functions<\/a> for threat hunting across both Microsoft first-party and third-party data sources.<\/p>\n
Hunt normalized Network Session events using the ASIM unifying parser _Im_NetworkSession<\/em> for IOCs:<\/p>\n
\n\nlet lookback = 7d;\nlet ioc_ip_addr = dynamic([\"181.49.105.59 \"]); _Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstIpAddr in (ioc_ip_addr) | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\n<\/pre>\n<\/div>\n
Hunt normalized File events using the ASIM unifying parser imFileEvent<\/em> for IOCs:<\/p>\n
\n\nlet ioc_sha_hashes=dynamic([\"fe0b2e0fe7ce26ae398fe6c36dae551cb635696c927761738f040b581e4ed422\",\"bb3b6262a288610df46f785c57d7f1fa0ebc75178c625eaabf087c7ec3fccb6a\",\"9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fc\", \"3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960\",\"165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5\",\"a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7\", \"a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727\",\"0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a\",\"4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222bec\",\"9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e\"]); imFileEvent | where SrcFileSHA256 in (ioc_sha_hashes) or TargetFileSHA256 in (ioc_sha_hashes) | extend AccountName = tostring(split(User, @'\\')[1]), AccountNTDomain = tostring(split(User, @'\\')[0]) | extend AlgorithmType = \"SHA256\"\n<\/pre>\n<\/div>\n
Hunt normalized Web Session events using the ASIM unifying parser _Im_WebSession<\/em> for IOCs:<\/p>\n
\n\nlet lookback = 7d;\nlet ioc_domains = dynamic([\"slgndocline.onlxtg.com \", \"cronoze.com \", \"muuxxu.com \", \"proliforetka.com \", \"porelinofigoventa.com \", \"shareddocumentso365cloudauthstorage.com\", \"newsbloger1.duckdns.org\"]); _Im_WebSession (starttime=ago(lookback), eventresult='Success', url_has_any=ioc_domains) | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor <\/pre>\n<\/div>\n
In addition to the above, Sentinel users can also leverage the following queries, which may be relevant to the content of this blog.<\/p>\n
Indicators of compromise<\/h2>\n
BruteRatel C4 and Lactrodectus infection chain<\/strong><\/p>\n
\n\n\n
\n Indicator<\/strong><\/td>\n Type<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n \n 9bffe9add38808b3f6021e6d07084a06300347dd5d4b7e159d97e949735cff1e<\/td>\n SHA-256<\/td>\n lrs_Verification_Form_1730.pdf<\/em><\/td>\n<\/tr>\n \n 0b22a0d84afb8bc4426ac3882a5ecd2e93818a2ea62d4d5cbae36d942552a36a<\/td>\n SHA-256<\/td>\n Irs_verif_form_2025_214859.js<\/em><\/em><\/td>\n<\/tr>\n \n 4d5839d70f16e8f4f7980d0ae1758bb5a88b061fd723ea4bf32b4b474c222bec<\/td>\n SHA-256<\/td>\n bars.msi<\/em><\/em><\/td>\n<\/tr>\n \n a1b4db93eb72a520878ad338d66313fbaeab3634000fb7c69b1c34c9f3e17727<\/td>\n SHA-256<\/td>\n BRc4, filename: nvidiamast.dll<\/em><\/td>\n<\/tr>\n \n hxxp:\/\/rebrand[.]ly\/243eaa<\/em><\/td>\n Domain name<\/td>\n URL shortener to load fake DocuSign page<\/td>\n<\/tr>\n \n slgndocline.onlxtg[.]com<\/em><\/td>\n Domain name<\/td>\n Domain used to host fake DocuSign page<\/td>\n<\/tr>\n \n cronoze[.]com<\/em><\/td>\n Domain name<\/td>\n BRc4 C2<\/td>\n<\/tr>\n \n muuxxu[.]com<\/em><\/td>\n Domain name<\/td>\n BRc4 C2<\/td>\n<\/tr>\n \n proliforetka[.]com<\/em><\/td>\n Domain name<\/td>\n Latrodectus C2<\/td>\n<\/tr>\n \n porelinofigoventa[.]com<\/em><\/td>\n Domain name<\/td>\n Latrodectus C2<\/td>\n<\/tr>\n \n hxxp:\/\/slgndocline.onlxtg[.]com\/87300038978\/<\/em><\/td>\n URL<\/td>\n Fake DocuSign URL<\/td>\n<\/tr>\n \n hxxps:\/\/rosenbaum[.]live\/bars.php<\/em><\/td>\n URL<\/td>\n JavaScript downloading MSI<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n RaccoonO365<\/strong><\/p>\n
\n\n\n
\n Indicator<\/strong><\/td>\n Type<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n \n shareddocumentso365cloudauthstorage[.]com<\/em><\/em><\/td>\n Domain name<\/td>\n RaccoonO365 domain<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n AHKBot<\/strong><\/strong><\/p>\n
\n\n\n
\n Indicator<\/strong><\/td>\n Type<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n \n a31ea11c98a398f4709d52e202f3f2d1698569b7b6878572fc891b8de56e1ff7<\/td>\n SHA-256<\/td>\n Tax_Refund_Eligibility_Document.xlsm<\/em><\/td>\n<\/tr>\n \n 165896fb5761596c6f6d80323e4b5804e4ad448370ceaf9b525db30b2452f7f5<\/td>\n SHA-256<\/td>\n umbrella.msi<\/em><\/em><\/td>\n<\/tr>\n \n 3c482415979debc041d7e4c41a8f1a35ca0850b9e392fecbdef3d3bc0ac69960<\/td>\n SHA-256<\/td>\n AutoNotify.ahk<\/em><\/em><\/td>\n<\/tr>\n \n 9728b7c73ef25566cba2599cb86d87c360db7cafec003616f09ef70962f0f6fc<\/td>\n SHA-256<\/td>\n AHKBot Screenshotter module<\/td>\n<\/tr>\n \n hxxps:\/\/business.google[.]com\/website_shared\/launch_bw.html?f=hxxps:\/\/historyofpia[.]com\/Tax_Refund_Eligibility_Document.xlsm<\/em><\/td>\n URL<\/td>\n URL redirecting to URL hosting malicious Excel file<\/td>\n<\/tr>\n \n hxxps:\/\/historyofpia[.]com\/Tax_Refund_Eligibility_Document.xlsm<\/em><\/td>\n URL<\/td>\n URL hosting malicious Excel file<\/td>\n<\/tr>\n \n hxxps:\/\/acusense[.]ae\/umbrella\/<\/em><\/td>\n URL<\/td>\n URL in macro that hosted the malicious MSI file<\/td>\n<\/tr>\n \n 181.49.105[.]59<\/td>\n IP address<\/td>\n AHKBot C2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Remcos<\/strong><\/p>\n
\n
- Turn on Zero-hour auto purge (ZAP)<\/a> in Defender for Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.<\/li>\n
- Educate users about protecting personal and business information<\/a> in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.<\/li>\n
- If access was restricted<\/strong>, the user received a benign PDF file from royalegroupnyc[.]com<\/em>. This served as a decoy to evade detection by security systems.<\/li>\n<\/ul>\n
- If access was permitted<\/strong>, the user received a JavaScript file from Firebase, a platform sometimes misused by cybercriminals to host malware. If executed, this JavaScript file downloaded a Microsoft Software Installer (MSI) containing BRc4 malware, which then installed Latrodectus, a malicious tool used for further attacks.<\/li>\n