A new phishing campaign has been spotted that delivers Amadey botnet malware that targets U.S. taxpayers through fake malicious income tax refund emails. The infection chain begins with an email that pretends to be from the Internal Revenue Service (IRS) that informs the recipient that they are eligible for a tax refund. The clever part of this malicious attack is that the attacker does not ask for credentials. Instead, the message provides a temporary username and password to log into the fake IRS portal which is linked in the message body. The fraudulent site is hosted at ‘hxxp://yosemitemanagement[.]com/fonts/page5/’ and after the user logs in with the temporary credentials, informs them that they have a pending refund. Victims are then asked to fill in some personal details and download a ZIP file to claim the refund. If a user downloads the ZIP file, it starts a self-decryption routine and lodges itself in the Windows Registry. Amadey then connects to its Command and Control (C2) to send system diagnostic information and waits for further instructions.