Emotet Malware

Phishing Emails from the IRS Used to Distribute Emotet Malware

Published on: March 28, 2023
Last Updated: March 28, 2023

Phishing Emails from the IRS Used to Distribute Emotet Malware

Published on: March 28, 2023
Last Updated: March 28, 2023

US taxpayers are being cautioned by security experts regarding a recent phishing campaign that involves Emotet.

The campaign involves impersonating W-9 tax forms that appear to have been sent by the Internal Revenue Service or one’s employer.

Since Form W-9 requires personal information such as Name, address, and Tax Identification Number, this particular poses a major threat to US citizens.

First reported by Malwarebytes, the Form W-9 is “being used to lure people to download something sinister.”

The Senior Director of Threat Intelligence at Malwarebytes, Jerome Segura uncovered an email sent by the “IRS Online Center,” with an attachment the size of more than 500MB, marked as “IRS Tax Forms W-9.”

You won’t find many genuine Word documents weighing in at 500MB or more. In fact, a file size of 500MB is a potential indicator that Emotet is lurking in the background.


Emotet malware operations frequently come out with targeted phishing campaigns that coincide with the holiday season and annual business events, such as the ongoing U.S. tax season.

The good news is due to Microsoft’s default blocking of macros, users are now less inclined to enable them, which reduces the likelihood of them becoming infected by malicious Word documents.

Sadly, many users tend to disregard these alerts and directly authorize the files to run.

After execution, the VBScript will retrieve the Emotet DLL and execute it using regsvr32.exe.

After that, the malware will operate silently in the background, harboring the user’s emails and contact details while waiting for additional payloads to install on the device.

A tweet from the IRS about the Emotet malware dating back to 2018

“Emotet has been around since 2014. Originally created as a banking Trojan, later versions added malware delivery and spam services,” said Chris Boyd, the malware intelligence analyst at Malwarebytes.

The malware is mostly distributed through email spam campaigns, with a significant portion of the fake emails used for delivering the infection posing as parcel shipment notifications, invoices, and payment forms.

Stay on top of the latest technology trends — delivered directly to your inbox, free!

Subscription Form Posts

Don't worry, we don't spam

Written by Husain Parvez

Husain has been around the internet ever since the dial-up days and loves writing about everything across the technosphere. He loves reviewing tech, writing about VPNs, and covering Cybersecurity news.