Home > Blog > Tax-Themed Malvertising Campaign Deploys Ransomware Amid Tax Season
News

Tax-Themed Malvertising Campaign Deploys Ransomware Amid Tax Season

By whois-secure March 28, 2026 3 views

Cybercriminals Exploit Tax Season with Malvertising Attacks

As the April 15 tax filing deadline approaches in the United States, cybercriminals have launched a sophisticated malvertising campaign targeting individuals and small businesses. This campaign leverages the urgency and stress associated with tax season to deploy ransomware, compromising sensitive data and systems.

Malicious Advertisements Lead to Fake Tax Form Websites

Security researchers have identified that attackers are creating fraudulent websites that mimic legitimate sources for tax forms such as W-2s and W-9s. These malicious sites are promoted through Google Ads, making them appear at the top of search results when users look for tax-related documents. Unsuspecting users who click on these ads are redirected to the fake websites, where they are prompted to download what appears to be a tax form but is, in reality, a malicious file.

Deployment of Remote Access Tools and Disabling Security Measures

Upon downloading the malicious file, a legitimate remote access tool known as ScreenConnect (now rebranded as ConnectWise Control) is installed on the victim's system. This tool allows attackers to gain remote control over the infected device. Before initiating remote access, the attackers deploy a kernel driver designed to disable security software, including Windows Defender, effectively blinding the system's defenses and allowing the malware to operate undetected.

Credential Harvesting and Ransomware Deployment

With remote access established and security measures disabled, the attackers proceed to harvest credentials and other sensitive information from the compromised system. This initial access phase is believed to be part of a larger, multi-stage attack process that culminates in the deployment of ransomware. The ransomware encrypts the victim's data, rendering it inaccessible, and demands a ransom payment in exchange for the decryption key.

Broader Implications and Recommendations

This campaign is particularly concerning due to its wide targeting and the stealthy nature of its malware delivery mechanisms. The use of legitimate tools like ScreenConnect complicates detection and mitigation efforts. Additionally, the timing of the attacks, coinciding with tax season, increases the likelihood of success as individuals and businesses are more likely to seek out tax forms and related information online.

To protect against such threats, it is recommended that users:

  • Be cautious when clicking on advertisements, especially those related to tax forms and financial documents.
  • Verify the authenticity of websites by checking the URL and looking for signs of legitimacy, such as HTTPS encryption and official domain names.
  • Keep security software up to date and ensure that it is configured to detect and block remote access tools and other potentially unwanted applications.
  • Regularly back up important data to mitigate the impact of potential ransomware attacks.

By remaining vigilant and adopting these best practices, individuals and organizations can reduce their risk of falling victim to such malicious campaigns.

For more detailed information on this campaign, refer to the original report by TechRadar: TechRadar.

Tags: ransomware malvertising tax season cybersecurity
CyberEdge Learning
Level Up Your Cybersecurity Skills
Liked this article? Go deeper with hands-on training, certification prep, and real-world labs at CyberEdge Learning.
Start Free →