Voldemort Malware Curses Orgs Using Global Tax Authorities

The global malware campaign (that must not be named?) is targeting organizations by impersonating tax authorities, and using custom tools like Google Sheets for command and control.

A sophisticated malware campaign dubbed Voldemort, is targeting organizations worldwide by impersonating tax authorities in Europe, Asia, and the US.
This malicious activity has affected dozens of organizations worldwide, with more than 20,000 phishing messages reported since its inception on Aug. 5, according to a
report
from Proofpoint.
The malware is a custom backdoor written in C, designed for data exfiltration and deploying additional malicious payloads.
The attack utilizes Google Sheets for command and control (C2) communications and files laced with malicious Windows search protocol. Once the victim downloads the malware, it uses a legitimate version of WebEx software to load a DLL that communicates with the C2 server.
The researchers said the campaign escalated significantly on Aug. 17, when nearly 6,000 phishing emails were sent in a single day, primarily impersonating tax agencies.
These included the US Internal Revenue Service (IRS), the UK’s HM Revenue & Customs, and Frances Direction Générale des Finances Publiques, among others. Each phishing email was crafted in the native language of the respective tax authority, adding a layer of credibility to the lures.
The emails, sent from what appear to be compromised domains, included the legitimate domain names of the tax agencies to further enhance their authenticity.
The report noted that the campaigns ultimate objective remains unclear, but Proofpoint researchers said they believe its likely aimed at espionage, given Voldemort’s intelligence-gathering capabilities and potential for deploying additional payloads.
Mayuresh Dani, manager, security research, at Qualys Threat Research Unit, says organizations that use Google in their ecosystem are more likely to face risk to Voldemort, since the companys platforms would be in the allowed list.
Unless organizations are monitoring for traffic to specified [indicators of compromise], these attacks would largely fly under the radar, he notes.
Dani explains this is a known technique identified as T1567.002 in the MITRE ATT&CK framework, and recommends that organizations monitor for network connections to cloud services associated with non-browser processes, as well as large amounts of network connections to cloud services.
Meanwhile, Omri Weinberg, co-founder and CRO at DoControl, says that verifying the authenticity of government communications is challenging, especially given how convincing these impersonations can be.
Organizations should establish clear protocols for handling sensitive requests or notifications, particularly those related to financial matters, he explains. This might include always verifying through a separate, known-good channel before taking action.
He added that it is crucial to educate employees about these types of
impersonation attacks
.
They should know to be suspicious of unsolicited communications, especially those creating a sense of urgency, he said.
While implementing DMARC and other email authentication protocols can help filter out some spoofed emails, Weinberg stressed that
user awareness remains key
.
Jason Soroko, senior fellow at Sectigo, says companies can protect against personalized phishing attacks by enhancing email filtering systems, and training employees to recognize and report suspicious emails.
He also recommends employing
strong multi-factor authentication (MFA)
, and regularly updating and auditing the visibility of publicly available information to reduce exposure.
Organizations should also employ advanced endpoint detection and response tools, enforce strict network segmentation, apply regular security patches, monitor for abnormal behavior, and implement robust data encryption practices to safeguard sensitive information, he adds.
And finally, implementing
email authentication protocols including DMARC
, SPF, and DKIM can also help prevent impersonation-based attacks, as well as S/MIME certificates for ensuring the legitimacy of email sender identities within an organization, he stresses.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Voldemort Malware Curses Orgs Using Global Tax Authorities