Blog - Ophtek

Cybercriminals are exploiting the urgency of tax season to launch phishing scams aimed at stealing personal and financial data.

Once again, the tax filing deadline is fast approaching for Americans and cybercriminals are preparing to take advantage of this seasonal chaos. Microsoft has recently issued a warning about a surge in tax-themed phishing campaigns targeting both individuals and businesses. These scams are designed to look convincing – often replicating official communications from the IRS or trusted tax companies– and are very successful at tricking people into revealing sensitive data or installing malware.

Luckily, Ophtek has your back and we’re here to give you some advice on how you can stay safe.

Understanding Tax-Related Phishing Scams

At the core of these scams are phishing emails which use urgency and fear to catch victims off guard and cause them to commit an action. The emails may, for example, claim there’s a problem with your tax filing, warn of an audit, or promise that a tax refund is due. These emails often contain subject names such as “EMPLOYEE TAX REFUND REPORT” or “Tax Strategy Update Campaign Goals” which, once opened, can install malicious software.

Typically, the emails also contain PDF attachments – with names such as lrs_Verification_Form_1773.pdf – which are used to redirect users to malicious website containing malware. In certain cases, the emails also include links or QR codes that redirect users to fake websites made to resemble genuine tax portals. The goal is simple: get users to enter their personal or financial details or download malware.

But not all of these phishing emails are easily identifiable as threatening or suspicious. Some start with relatively harmless messages to build trust. Once the target feels comfortable, follow-up emails are used to introduce more dangerous content. This makes it more likely the user will activate a malicious payload compared to an email received out of the blue. A wide range of malware has been observed in these attacks with GuLoader, AHKBot, and BruteRatel C4 just a few of those involved.

Protect Your Finances and Your Tax Returns

The financial and personal impact of these attacks can be significant for victims. As well as the potential financial loss, those affected often face further headaches in the form of frozen credit, blacklisting, and stolen tax refunds. For businesses, the consequences can extend to data breaches, costly compliance violations, and significant downtime. Accordingly, you need to tread carefully during tax season and make sure you follow these best practices:

Verify Email Authenticity: It’s crucial that you check the authenticity of all emails you receive, especially those which call for an urgent action to be performed. Always check the email address of emails received and make sure they’re not using an unusual domain spelling e.g. I-R-S@tax0ffice.com
Be Careful of Attachments and Links: Never open attachments from unknown sources as these could easily contain malware. Likewise, be careful when dealing with links – hover your mouse cursor over any suspicious links to reveal the genuine destination and Google the true URLs to identify any potential threat.
Keep Your Software Updated: Finally, make sure that your software is always up-to-date and has the latest security patches installed. This can strengthen your cyber defenses and make it much harder for threat actors to take advantage of software vulnerabilities.

For more ways to secure and optimize your business technology, contact your local IT professionals.

TP-Link Routers Exploited with Ease by Vulnerability

cyberattack, default passwords, Ophtek, remote management, router firmware update, security patches, security_updates, TP-Link Archer AX-21cyberattack, default passwords, firmware updates, Ophtek, remote management, security patches, TP-Link Archer AX-21, updatesOphtek, LLC

Apr 2025

A recent cyberattack has compromised thousands of TP-Link routers, turning them into a botnet which spreads malware and launches cyberattacks worldwide.

Cybersecurity researchers have discovered a widespread attack where threat actors exploited a vulnerability (CVE-2023-1389) in TP-Link Archer AX-21 routers. This security flaw allows attackers to take control of unpatched routers remotely, recruiting them – alongside thousands of others – into part of a botnet. What’s a botnet? Well, luckily Ophtek is here to explain: a botnet is a network of infected devices used for malicious activities on a huge scale.

At least 6,000 routers have been affected, with compromised devices being found all across the world in Brazil, Poland, the UK, Bulgaria, and Turkey. Once one of the TP-Link routers are infected, they can spread malware to other devices on the same network or be used as part of a coordinated botnet attack.

How Were the TP-Link Routers Exploited?

The threat-actors behind the attack started by simply scanning the internet for any vulnerable TP-Link routers that had not been updated with the latest security patches. Each time a router was found with the vulnerability in place, the attackers were able to exploit a remote code execution flaw – which allowed the hackers to install malware on the router.

Once infected, these routers became part of the Ballista botnet, which the threat actors were able to control remotely. As more and more routers, and devices connected to them, were recruited, Ballista became even more powerful. This enabled it to spread malware to further PCs and devices, launch DDoS attacks to flood websites and disrupt online services, and steal sensitive data passing through the router.

Why Should PC Users be Concerned?

All modern PCs rely on routers to connect to the internet and internal IT infrastructures, but many people take them for granted and don’t consider them a security risk. Accordingly, many PC users have been caught out by not updating their router’s firmware or keeping their device’s default password, both of which make them easy targets for hackers. As TP-Link router users have discovered, an infected router can quickly become a major security risk, sending data to hackers without the user being aware.

Keeping Your Router Safe from Vulnerabilities

It’s highly likely that you own a router or regularly use a computer connected to one. Regardless of the make and model, all routers have the potential to be compromised by threat actors. Here’s how you can stay safe:

Update Your Firmware Regularly: Router manufacturers regularly release security updates to fix vulnerabilities in their products, so it’s crucial that you install these as soon as possible. The best way to ensure you’re running the most up to date firmware is to log into your router settings and check for any available updates once a month.
Change Default Credentials: Many routers come straight out of the box with default usernames and passwords – hackers can easily guess these as huge lists of default credentials are readily available online. This is why you need to change your router’s admin login details to a strong, unique password.
Disable Remote Management: If your router has the option of allowing remote access over the internet, you should disable this feature unless there’s a real need for you to access it from a remote location – this type of access should only be reserved for your IT team.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Taiwan Businesses Targeted by Winos 4.0 Malware

malicious emails, National Taxation Bureau, Ophtek, Phishing, Silver Fox, Taiwan, Win 4.0malicious emails, National Taxation Bureau, Ophtek, phishing, Silver Fox, Taiwan, updates, Winos 4.0Ophtek, LLC

Apr 2025

A recent cyberattack has targeted Taiwanese companies using phishing emails which appear to be from Taiwan’s National Taxation Bureau.

In this attack, cybercriminals sent phishing emails to businesses in Taiwan, pretending to be officials from the National Taxation Bureau. These emails contained malicious attachments designed to infect victims’ computers with malware. The threat actors’ aim was to steal sensitive information and gain unauthorized access to IT infrastructures, enabling the attackers to have easy access to secure data.

How Did the Winos Attack Unfold?

The threat actors created emails which, at a quick glance, appeared official and claimed to provide a list of companies scheduled for tax inspections. The recipients were urged to download a zip file containing this list. However, contained within this ZIP file was a dangerous DLL file named lastbld2Base.dll. Once this file was activated, it set in motion a series of malicious actions – the most prominent of which was to download the Winos 4.0 malware. Winos 4.0 allowed the threat actors to take screenshots, record keystrokes, and remotely execute commands on the infected devices.

Once installed, Winos 4.0 gave the attackers deep access to the compromised systems. This access made the malware a powerful tool for carrying out espionage, especially given that the main targets appeared to be corporate businesses. These types of targets allowed the threat actors to gain access to huge amounts of personal data, rather than targeting individuals one at a time to harvest such data.

Security researchers believe that a hacking group known as Silver Fox are the perpetrators behind the attack. Silver Fox has a history of targeting Chinese-speaking users and has previously been observed using fake software installers and malicious game optimization apps to deceive victims.

Protecting Yourself from Such Attacks

This incident is further evidence that phishing campaigns are becoming more deceptive and underlining the importance of social engineering tactics for hackers. Many people glance over their emails quickly and, if they see an official and trusted government logo, the chances are that they’ll believe it’s genuine. However, it’s important that you and your employees stay safe, so make sure you practice the following:

Be Careful with Email Attachments: Always double check the authenticity of and email before downloading or opening email attachments, especially if they are unexpected or urge you to perform a specific action. If an email claims, for example, to be from a government agency, visit the official website to confirm its legitimacy before opening any attachments.
Keep Software Updated: Regularly updating your operating system and security software is crucial for protecting your PCs against known vulnerabilities. Many cyberattacks take advantage of outdated software with numerous vulnerabilities, so keeping your system up to date should be a priority at all times.
Educate Employees: Ensuring that your staff can recognize phishing attempts is crucial in 2025, as is carrying out safe email practices to prevent accidental exposure to malware or malicious links. Implementing cybersecurity awareness programs should be a priority for your IT inductions. Regular refresher courses should also be to help consolidate this learning.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Google Ads Used to Push Fake Google Chrome Installer

google ads, Google Chrome, malware, Ophtek, SecTopRat, security software, security_updateschrome, Google ads, malware, Ophtek, SecTopRat, security, updatesOphtek, LLC

Mar 2025

Cybercriminals are exploiting Google Ads to distribute malware disguised as a genuine Google Chrome installer, tricking users into downloading the malware.

Threat actors are always innovative, and this recent attack underlines exactly why you need to be on your guard when online. Attackers have been purchasing ads which appear when PC users search for popular software downloads e.g. Google Chrome. Unfortunately, the ads which are served up lead to dangerous websites which closely resemble official download pages. This deception tricks users into downloading and installing malware.

As we spend a high proportion of our work time online, we’re going to dig deep into this attack to see what we can learn.

How Can Google Ads Compromise Your PC?

In this attack, users searching with terms such as “download Google Chrome” might find themselves confronted with a sponsored ad at the top of their search results. This ad can, at first, appear genuine, often having a URL which includes “sites.google.com” – a Google platform used to build free websites. Accordingly, users feel confident that these pages are official and trustworthy, especially when they look very similar to official download sites.

Once a user clicks the ad, they’re redirected to a malicious page which is a highly convincing imitation of the official Google Chrome download site. This page urges users to download a file named “GoogleChrome.exe” and, so far, everything appears as you would expect. With nothing unusual to suspect, users make the decision to trust the page, download the file, and then launch it.

However, once executed, the installer begins to act suspiciously. Firstly, it connects to a remote server to retrieve additional instructions. Secondly, it requests that they user grants it administrative privileges to assist in completing the download. At this point, alarm bells should start ringing, but most users still feel as though the software can be trusted. Once administrative privileges are granted, the installer executes a PowerShell command which prevents Windows Defender from scanning the malware’s location, enabling it to operate quietly in the background.

A further file is then downloaded to the BackupWin directory and, masquerading under the name of a genuine piece of software, opens up a communication channel with the threat actors’ remote server. The malware used is SecTopRAT, a Remote Access Trojan which allows the attackers to take remote control of the infected system and steal sensitive data such as capturing keystrokes, accessing files, and recording user activities.

Protecting Against the SecTopRAT Threat

Your employees are busy with their daily tasks and, therefore, it’s easy for them to have a lapse of judgement and quickly click on something they believe to be genuine. However, this can be disastrous for your IT infrastructure, so it’s crucial that your staff are mindful of the following:

Be Cautious of Sponsored Ads: Just because an ad is that the top of the search results, this doesn’t mean it can be trusted. This is why it’s important to always verify the authenticity of a URL before clicking it. Check for any unusual spellings or, to be fully safe, navigate directly to the official website for that software.
Only Download from Official Sources: The best approach is to always head straight to the developers website rather than trusting other online sources. Aside from sponsored ads, it’s critical that your team avoids downloading via links in emails or through torrent sites – both of these sources often lead to nothing but malware.
Keep Your Security Software Updates: One of the simplest ways to thwart attackers is to make sure your security software is up to date. This software regularly scans your system for threats, but it needs to be updated as soon as possible to detect the latest threats.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Malicious Code Found Embedded in Steam Downloads

anti-malware_software, malware, Ophtek, PirateFi, security, Steam, vidarmalware, Ophtek, PirateFi, security, Steam, vidarOphtek, LLC

Mar 2025

A malicious game on Steam called PirateFi was found to contain malware which steals personal information, highlighting the risks of unverified downloads.

A recent attack involving a game on Steam has highlighted the importance of vigilance when downloading software. The game, called PirateFi, was available to download on Steam – an online platform for buying and playing games – but contained malware designed to steal personal data from players’ computers.

Pirates Strike Gold on Infected Systems

PirateFi – which was a free to play game – was developed by Seaworth Interactive and available on Steam from February 6th to February 12th, 2025. Promising an engaging and challenging survival experience, setting players objectives such as base building, food gathering, and making weapons, PirateFi was downloaded by around 1500 players and generated numerous positive reviews.

However, it was soon discovered that PirateFi was not simply a game meant to excite players and take their minds off the real world. Reports soon emerged that the game contained malware known as Vidar, a data-stealing program. Vidar is designed to harvest sensitive data from infected computers, so this could easily include passwords, financial information, and personal documents. Rather than Vidar being bundled with PirateFi as bloatware, Vidar was embedded within the game’s files, allowing it to be launched when the game was started.

Valve, the company behind Steam, quickly removed PirateFi from their platform on February 12^th, when the threat was identified. They were also swift in issuing security notifications to those who had downloaded the game. Valve’s advice was, for those who had downloaded PirateFi, to run a full system scan using up-to-date antimalware software to detect and remove any dangerous files. Alternatively, Valve suggested that those at risk fully reinstalled their operation system to ensure Vidar was completely removed.

Staying Safe from Dangerous Downloads

This attack underlines the ingenuity and evolving tactics of threat actors, who are increasingly targeting popular platforms like Steam and GitHub to distribute their malware.

By disguising their malware as legitimate tools on these platforms, the threat actors are exploiting the trust users place in these websites. For a threat actor, this is fantastic as it opens up their attack to a huge audience. However, for a user it’s highly frustrating and dangerous. Accordingly, you need to practice the following to remain safe:

Be Cautious with Unverified Software: Before downloading and installing new software, especially from lesser-known sources, always take the time to research the application. Seek out reviews from reputable sources and check for any reports of malicious activity relating to the software.
Keep Your Security Software Updated: Ensure that your antivirus and anti-malware programs are always up to date. Regularly scan your system for potential threats, particularly after installing new applications. Updated security software can detect, quarantine and delete the latest malware threats before they can take hold of your system.
Monitor for Unusual Activity: Always be mindful of any suspicious activity on your networks, such as unusual drops in performance, unfamiliar programs executing, or unauthorized access to your accounts. If you notice signs such as these, there’s a chance that your network has been breached.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 3 … 126 Next »