Cybercriminals Abuse IRS and Tax Filing Lures to Push Malware in New Campaigns

Proofpoint researchers observed a surge of organized tax-themed phishing campaigns in early 2026 targeting primarily U.S. users (and victims in Canada, Australia, Switzerland, and Japan), delivering legitimate RMM tools, information stealers, and credential-phishing pages; two tracked groups (TA4922 and TA2730) used impersonation of tax authorities and firms, multi-stage social engineering, and legitimate remote access software (e.g., N-able, Datto, RemotePC) to obtain remote access or harvest credentials, and defenders are advised to allow-list approved RMMs and strengthen user training and verification procedures.