Ethical Hacking News
Malicious Microsoft Excel files have been discovered to deliver malware and steal credentials as part of the ongoing GuLoader campaign. The attack involves sending tax-related emails with malicious attachments, including PDF files containing links that redirect users to fake Docusign pages. If access is allowed, the user is sent a JavaScript file that subsequently downloads a Microsoft Software Installer (MSI) for BRc4, which serves as a conduit for deploying Latrodectus malware. Learn more about this new phishing scam and how it can be prevented.
Malicious Microsoft Excel files are being used to deliver malware and steal credentials as part of the ongoing GuLoader campaign. Tax-related emails with malicious attachments are being sent, including PDF files containing links that redirect users to fake Docusign pages. A second campaign involves tax-themed phishing emails with QR codes that point to a link associated with RaccoonO365 PhaaS, mimicking Microsoft 365 login pages. Other phishing and social engineering attacks are being reported, including the use of browser-in-the-browser technique, information stealer malware, SVG files, and trusted collaboration services.
Microsoft has warned of a new phishing scam targeting tax filing season, where malicious Microsoft Excel files are being used to deliver malware and steal credentials. The attack, which is part of the ongoing GuLoader campaign, aims to deceive users into enabling macros in Microsoft Excel, which then downloads and runs a MSI file, launching an AutoHotKey script that exfiltrates screenshots from compromised hosts to a remote server.
The attack involves sending tax-related emails with malicious attachments, including PDF files containing links that redirect users to fake Docusign pages. If access is allowed, the user is sent a JavaScript file that subsequently downloads a Microsoft Software Installer (MSI) for BRc4, which serves as a conduit for deploying Latrodectus malware.
Researchers have also detected a second campaign, where tax-themed phishing emails were sent to over 2,300 organizations in the US, particularly aimed at engineering, IT, and consulting sectors. The emails featured QR codes that pointed to a link associated with the RaccoonO365 PhaaS, which mimics Microsoft 365 login pages to trick users into entering their credentials.
In addition to these campaigns, there have been several other phishing and social engineering attacks reported in recent weeks, including:
* Use of browser-in-the-browser (BitB) technique to serve seemingly realistic browser pop-ups that trick players of Counter-Strike 2 into entering their Steam credentials with the likely goal of reselling access to these accounts for profit.
* Use of information stealer malware to hijack MailChimp accounts, permitting threat actors to send email messages in bulk.
* Use of SVG files to bypass spam filters and redirect users to fake Microsoft login pages.
* Use of trusted collaboration services like Adobe, DocuSign, Dropbox, Canva, and Zoho to sidestep secure email gateways (SEGs) and steal credentials.
* Use of emails spoofing music streaming services like Spotify and Apple Music with the goal of harvesting credentials and payment information.
* Use of fake security warnings related to suspicious activity on Windows and Apple Mac devices on bogus websites to deceive users into providing their system credentials.
* Use of fake websites distributing trojanized Windows installers for DeepSeek, i4Tools, and Youdao Dictionary Desktop Edition that drop Gh0st RAT.
* Use of billing-themed phishing emails targeting Spanish companies to distribute an information stealer named DarkCloud.
* Use of phishing emails impersonating a Romanian bank to deploy an information stealer called Masslogger targeting organizations located in Romania.
To mitigate the risks posed by these attacks, it is essential that organizations adopt phishing-resistant authentication methods for users, use browsers that can block malicious websites, and enable network protection to prevent applications or users from accessing malicious domains.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Microsoft-Excel-Files-A-New-Phishing-Scam-Targeting-Tax-Filing-Season-ehn.shtml
https://thehackernews.com/2025/04/microsoft-warns-of-tax-themed-email.html
https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
Published: Thu Apr 3 13:49:43 2025 by llama3.2 3B Q4_K_M
