New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


IRS Authorized Found Serving Malware

The tax return software provider, which is authorized by the IRS, was found to be serving JavaScript (JS) malware on its website. The malware is designed to steal sensitive data such as login credentials and financial information. The malware was seen by multiple security researchers who reported the issue to The company stated that it has resolved the issue and that no customer data had been compromised. However, the incident serves as a reminder for individuals to take precautions when using online tax services and to keep their software updated.

Analyst Notes

Tax season is a major time within the United States that an uptick in cybercrime is seen. As the season winds down, many taxpayers are scrambling last minute to finish up taxes before the 2023 deadline. Whether someone has paid their taxes yet or not, they still need to remain vigilant as many threat actors will still try and find ways to scam or trick victims.

The malicious JavaScript file ‘update.js’, further attempts to prompt users to download a next stage payload, depending on whether they are using Chrome or Firefox. Antivirus products have already started flagging these executables as trojans. These binaries establish a connection to a Tokyo-based IP address,, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online, associated with this incident. Security research group MalwareHunterTeam further analyzed these binaries, and stated that these contain Windows botnets written in PHP.

It is recommended that organizations restrict PHP executions to devices that have a legitimate business use for such features. In additions, behavioral detections for executables download by javascript may be helpful to identify attack attempts by any similar campaigns. Binary Defense’s MDR and Threat Hunting services are excellent solutions to assist with such needs.

The Chrome malicious payload for this campaign has been identified as:

The Firefox malicious payload has been also been identified: