Faked Out: How a Fraud IRS Website Fueled a Sophisticated Remote Access Campaign

The BlueVoyant Security Operations Team (SOC) and Threat Fusion Cell (TFC) researchers recently analyzed a sophisticated phishing incident where a user was lured into visiting a fake IRS website to verify a “tax refund”. The scheme was initiated via a phishing email, leading the user to the fraudulent site. The primary objective of the attack was to lure the user into downloading and executing the PDQ Remote Monitoring and Management (RMM) Agent, masqueraded as a “Secured Document” file. Upon interaction with the file, the file installs the PDQ RMM Agent, allowing the attacker to have remote access to the impacted device.

Attack Overview

The attack began with a phishing email posing as a notification about an IRS tax refund with the subject line “IRS Refund”. Contained within the email was a link to a fake IRS website, hxxps://docspreviewgov[.]com, where upon visiting the site, the user's browser was triggered into downloading the PDQ RMM Agent installer masqueraded as ‘IRS_Secured_Document_2025.msi’.

While analyzing the landing page of the fake IRS website, BlueVoyant researchers identified a suspicious JavaScript file being loaded. Beyond handling basic UI elements such as layout and text rendering, this JavaScript contained  malicious functionality designed to act as a browser-based dropper. This was designed to collect system and user metadata, send logs to a Telegram bot, and automatically trigger a download of a suspicious .msi or .pkg installer after a short delay.

The JavaScript fingerprints users by gathering their public IP (via ipify[.]org), device and browser information, screen resolution, and other telemetry. After an 8-second delay the script POSTs this data to a separate page, hxxps://docspreviewgov[.]com/api/telegram, that contains a Telegram API configuration and forwards the payload to a Telegram bot. The script appeared to be targeting Windows and MacOS platforms by checking the connected devices platform. If the script detects that the user is visiting from a mobile device (i.e. iOS or Android) it displays a console log error “No download URL available for this OS: <insert OS name>”.

Once the data was sent and a system was confirmed to run a Windows OS, the script silently attempted to download IRS_Secured_Document_2025.msi (or IRSInstaller.pkg if macOS) from hxxps://docspreviewgov[.]com/documents/. 

After retrieving the file IRS_Secured_Document_2025.msi, BlueVoyant researchers conducted an initial analysis and found it was signed with a legitimate certificate belonging to PDQ.com Corporation. Further inspection of the MSI package revealed two files inside: LICENSE.html and an executable named pdqagentconnect.

BlueVoyant researchers confirmed that IRS_Secured_Document_2025.msi installs the PDQ Agent RMM tool. This utility, also known as PDQ Agent, is a legitimate software component published by PDQ.com Corporation. It is typically deployed by system administrators to manage and monitor endpoints remotely, but attackers can abuse it like other RMMs (AnyDesk, ScreenConnect, TeamViewer). When installed without authorization it can provide adversaries remote command execution, persistence, payload delivery, data exfiltration, and lateral movement capabilities. 

Once installed, the PDQ Agent generates its configuration database, PDQConnectAgent.db, at C:\ProgramData\PDQ\PDQConnectAgent. This database is created during the agent’s initialization and stores key settings including the remote server location, device ID, device key pair, and sockets URL. The agent connects to the PDQ cloud service at app[.]pdq[.]com, which can allow an adversary to blend malicious activity into otherwise normal network traffic and avoid detection.

The Broader Campaign

BlueVoyant’s Threat Fusion Cell pivoted to reveal a broader collection of related activity indicating the campaign extended beyond the IRS-refund lure. The same operators have been running a multi-themed, multi-RMM campaign since at least late 2024 which continues through present day. While the PDQ Agent remains the workhorse payload, the TFC also observed the attackers rotate in other legitimate remote management tools, including Atera Agent, ScreenConnect and SimpleHelp. In several cases the installers, once deployed, communicated with their vendors’ cloud infrastructure (for example, PDQ traffic over app[.]pdq[.]com) to blend into normal administrative patterns. The Atera ecosystem was even leveraged directly in at least one instance via a crafted servicedesk[.]atera[.]com “GetAgent” URL with embedded msiexec parameters, illustrating the actor’s comfort using vendor distribution flows to seed endpoints. 

The lures are highly varied and localized by language and business context, spanning U.S. tax and benefits, event invitations, generic business workflows, and international finance and government impersonation. Beyond IRS and the “tax refund” lure, file name and page themes include credit-card and paperless statement viewing, invoices and past‑due notices, social programs and government communications, contract and HR workflows, financial transfers and payroll, voicemail notifications, generic “document” viewers, and event invites that drive urgency and clicks. 

The operators also masqueraded the RMM tools as routine business software to lower suspicion, distributing installers named after Adobe Reader, Microsoft Excel and Zoom. Additional themes hinted at sectoral or regional targeting (e.g., azizibank.af‑…pdf.msi, Mivchar.msi, Rendőrségi szolgálati program.msi, Receita/SEFAZ in Brazil, DATEV and “Rechnung” in Germany), underscoring a broad, multilingual social‑engineering footprint. In all, the cloaked files were observed using filenames in English, Spanish, Portuguese, German, Hungarian and Hebrew. 

Distribution infrastructure has equally been diverse. In addition to docspreviewgov[.]com, the adversary cycles through look‑alike and theme‑aligned domains like these:

• viewmycardonline[.]com
• viewpaperlesscard[.]com
• viewmysecurecard[.]com
• paperlesscardview[.]com
• partyinvitezoom[.]com
• viewmysecurecard[.]com
• sharedocus[.]de
• visualclick[.]top
• getuppdatesdownload[.]click
• enbama[.]com[.]tr

The attackers frequently launder delivery through trusted services and redirectors to bypass email and web filters. Observed URLs included Google redirectors, Pardot and SendGrid tracking URLs, Thinkific and ConvertKit mail links, and shortened links. BlueVoyant also found connected infrastructure abusing mainstream cloud and collaboration platforms such as Dropbox, Notion, UseWhale, Egnyte, GoFile, Linode Object Storage, Codeberg, Vercel, and Cloudflare Dev Pages. 

Many of the payloads are delivered directly from themed paths (for example:fastdeliveronline[.]org/update/social_security_statement.msi). Across these delivery chains, the consistent end goal is the covert installation of an RMM agent to provide durable, low‑friction remote access under the cover of legitimate, signed software.

TFC researchers correlated all indicators-of-compromise (IoCs) and tactics with curated intelligence, identifying seven previously observed hashes: all seven hashes are related to the Atera Agent. Relatedly, the TFC reported on a similar campaign in INTSUM Issue_BV0306 on 29 March 2024, in which the Iran-nexus actor Twilight Dhow (a.k.a. TA450, Static Kitten, MuddyWater) targeted Israeli organizations with weaponized Atera Agent downloads. That report documented the actor's first tactical shift from placing malicious links in email bodies to sending PDF attachments with embedded links—the same technique used in this campaign. However, this campaign differs from previous Twilight Dhow activity because it does not target a specific country, uses Telegram, employs other RMM tools besides Atera Agent, and utilizes different infrastructure. As such, the TFC does not assess any attribution to a known actor and has created a temporary threat group for internal tracking.

An analysis of the campaign’s tactics, techniques, and procedures confirmed the BlueVoyant SOC has existing coverage for the majority of this activity, particularly for RMM tool installations initiated from browser processes. Still, campaign-specific details were provided to enhance current detection and threat hunting efforts.

Conclusion

BlueVoyant researchers investigated a phishing attack in which victims were enticed with fake IRS refund emails that redirected them to a fraudulent website, docspreviewgov[.]com. The site hosted a malicious JavaScript dropper that fingerprinted visitors, exfiltrated system metadata to a Telegram bot, and then silently initiated the download of a file masquerading as an IRS “Secured Document.”

The installer, IRS_Secured_Document_2025.msi, was found to be legitimately signed by PDQ.com Corporation and deployed the PDQ Agent. This attack led to the discovery of a wider RMM tool delivery campaign that has been running since at least late 2024. While these are legitimate IT administration tools, they can be abused to provide attackers with unauthorized remote access, persistence, data exfiltration, and lateral movement, all while communicating over normal web traffic.