As the tax deadline approaches, phishing and malware campaigns predictably increase in volume and effectiveness. Threat actors consistently exploit seasonal events to improve engagement, and tax-related lures remain one of the most reliable themes. At the same time, there is a growing shift toward attacks that leverage legitimate remote management and monitoring tools, allowing adversaries to blend malicious activity with otherwise trusted software.
In this campaign, attackers impersonate the Canada Revenue Agency and distribute T4-themed PDF documents that require a password to open. This added step increases perceived legitimacy, as password-protected tax documents are common in real-world workflows. The use of a protected document also introduces friction that paradoxically increases trust, as users often associate gated content with sensitive or official information. Seasonal alignment further amplifies effectiveness, as recipients are more likely to expect and engage with tax-related communications during this period.
Upon opening the PDF, the victim is presented with instructions directing them to click a link hosted on a Vercel domain, along with a reminder of the password required for the next stage. This link initiates the download of a ZIP archive from attacker-controlled infrastructure hosted on Vercel.
The archive itself is encrypted, concealing a malicious VBScript file that contains a heavily obfuscated PowerShell command. This layered delivery chain combining password-protected documents, encrypted archives, and script-based execution is specifically designed to evade both email and endpoint security controls that rely on content inspection.
When the VBScript file is executed, the attack employs a dual-purpose execution flow. A short delay is introduced using a Sleep function, after which the victim is redirected to the legitimate Canada Revenue Agency website. In parallel, the LogMeIn Resolve unattended access client is silently installed in the background, granting the attacker persistent remote access to the compromised system. The combination of delayed execution and a benign browser redirect serves as an effective distraction technique, reducing the likelihood that the user associates any system changes with the initial file execution.
The campaign did not remain isolated to a single geography. The same threat actors later transitioned to a U.S.-themed variant while maintaining the identical delivery structure and infrastructure. The reuse of the same password, file structure, and hosting platform strongly suggests a templated or automated deployment model. This level of reuse indicates operational efficiency and scalability, allowing attackers to quickly pivot lures and payloads without modifying the underlying infection chain.
In the U.S. variant, the ZIP archive again contains a VBScript file, but the payload shifts. Once executed, the script operates along two parallel paths. In the background, it silently downloads and installs the Remcos RAT, establishing persistent access and enabling full system control. In the foreground, the script opens the legitimate Social Security Administration website in the user’s browser. This consistent use of legitimate government websites as visual cover reinforces trust while masking malicious activity, a tactic increasingly observed in multi-stage phishing campaigns.
This campaign highlights how threat actors continue to refine well-established techniques rather than replace them. By combining seasonal lures, trusted cloud hosting, encrypted payload delivery, and legitimate remote access tools, attackers are able to achieve high success rates with relatively low complexity. For defenders, the key takeaway is clear. Detection strategies must move beyond simple content inspection and focus on behavioral signals such as script execution chains, unexpected use of remote management tools, and user-driven download activity from newly observed domains.
