IRS-Themed Phishing Granting Threat Actors Remote Access

The Center for Internet Security^® (CIS^®) Cyber Threat Intelligence (CTI) team has identified an ongoing phishing campaign opportunistically targeting U.S. State, Local, Tribal, and Territorial (SLTT) government entities with tax-themed lures. In observed cases, victims clicked a TryCloudflare phishing link leading to an automatic download of legitimate RemotePC software, which would grant threat actors complete access to the victims’ computers.

To increase credibility, threat actors tailor their lures to appear to come from the Internal Revenue Service (IRS) or Social Security Administration (SSA). These fraudulent websites, hosted at TryCloudflare domains, serve as timely and convincing lures, particularly given the proximity to tax season. In one observed case, the initial phishing domain redirects users to the official irs.gov site to reinforce legitimacy.

CIS CTI recommends members of the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) raise awareness within their organizations of these lures.

Analysis of an IRS-Themed Phishing Attack

CIS CTI identified this activity from a MS-ISAC member report, which indicated a user in their organization fell for a phishing attempt by opening the link: https[:]//invision_-handle_-sessions-travelling[.]
trycloudflare.com/dashboard/hs/IRS_pnXkel6pr1CAn44[.]exe. The team replicated this behavior in a sandbox, which confirmed the agency’s findings that visiting the website automatically triggered a RemotePC download. (See Figure 1 below.) Further analysis revealed the webpage redirected to the official irs.gov webpage after the download.

 

^{Figure 1: TryCloudflare RemotePC download page before IRS re-direct}

CIS CTI analysis additionally identified seven separate TryCloudflare URLs that downloaded an installer for legitimate RemotePC software.

A Brief Note on Threat Actor Misuse of TryCloudflare

Throughout 2025 and into the first quarter of 2026, CIS CTI observed threat actors misusing the TryCloudflare tunneling service. Cloudflare Tunnels offer dynamic TryCloudflare domains that proxy resources to Cloudflare infrastructure, enabling users to generate a one-time tunnel domain without creating an account, per Proofpoint. Threat actors often leverage Cloudflare Tunnels as part of their campaigns due to Cloudflare’s trusted reputation and the service’s ability to dynamically generate domains.

TryCloudflare URLs Impersonating the IRS and SSA

Many of the installers tied to the TryCloudflare URLs observed in this campaign incorporate IRS or SSA in their name. A subset of the files included misspellings, such as SecialSecurityStatement_{_}uZtHjcW4u9CQ2ZaUYBjR[.]exe.

After a user visited the URL, the installers downloaded RemotePC, a legitimate software tool threat actors can exploit to gain “complete control” of the intended user’s computer.

Given the deliberate impersonation of official government resources, proximity to tax season at the time of publication, and common misspellings of filenames, it is highly likely threat actors are leveraging these techniques to gain unauthorized access to victims’ systems for malicious financially-driven follow-on objectives like dropping malware, stealing credentials, selling access on illicit forums, and executing commands, as noted by Huntress.

Snapshot of Observed Related Threat Activity

The threat activity observed in this campaign aligns to what others are seeing:

• In February 2026, the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) identified numerous phishing campaigns masquerading as the IRS and leveraging tax season as a lure. Among this activity, NJCCIC identified threat actors leveraging other legitimate hosting providers, including Amazon Web Services, to download remote monitoring and management (RMM) tools to grant threat actors unauthorized access to systems.
• In its "2026 Cyber Threat Report," Huntress notes threat actor misuse of RMM tools rose 277% year over year and appeared in 24% of all incidents it tracked.
• In a July 2025 Joint Cybersecurity Advisory, the FBI and several partner agencies reported the prominent threat group Scattered Spider similarly used phishing lures to deceive users into downloading legitimate RMM tools to attain network access and exfiltrate data for extortion efforts.

As pointed out by Microsoft, threat actors frequently tailor social engineering lures to timely and notable events like tax season to enhance their phishing efforts. To account for this activity, SLTT administrators should ensure users exercise increased vigilance, particularly concerning emails conveying a sense of urgency relating to timely and important events like tax season.

Embrace Year-Round Collective Cyber Defense

To receive tailored mitigations and IOCs related to active cyber threats like the campaign discussed above, you can join the MS-ISAC, a community dedicated to the collective defense of U.S. SLTTs. Members received early reporting on this phishing campaign, including over 800 IOCs through the CIS Indicator Sharing Program. Members also regularly receive support through services like Malicious Domain Blocking and Reporting (MDBR), which has already blocked over 200,000 queries to malicious domains associated with this campaign at the time of publication.

Ready to defend against IRS-themed phishing through the power of community?