Phishing Campaign Exploits Zoom and IRS Impersonation to Deploy ScreenConnect Malware During Tax Season

28 Apr 2026

phishingtax_seasonIRSZoomimpersonationmalwareJScriptScreenConnectremote_access_toolRATRMMSmartScreenregistry_modificationPowerShellC2command_and_controlUAC_bypasssecurity_bypassdeobfuscationcybersecurity

The video examines a phishing campaign targeting tax season, where attackers sent fraudulent emails impersonating Zoom and the IRS in late March. The email, sent from securedocs.review@umgs.online but appearing to originate from realzoom.us, lured victims into clicking a link on docs.zoom.us that redirected to snukko.work, a spoofed IRS website. The malicious download, labeled IRS_tax_document.js, executed JScript on Windows systems to bypass security mechanisms, including disabling SmartScreen via registry modifications (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SmartScreenEnabled). The malware then downloaded and installed ScreenConnect, a legitimate remote access tool, using a hardcoded attacker IP (port 8041) for command-and-control (C2) operations. Analysis tools like DE4JS, WebCrack, and Humanify JS were used to deobfuscate the JScript, revealing a 360-line payload that also invoked PowerShell to stage additional files (download.ps1). The video notes that 72% of remote monitoring and management (RMM) abuse in 2025 involved tools like ScreenConnect, highlighting its dual-use nature for both support and malicious access. Techniques included UAC bypass (/elevate flag) and disabling security features via registry edits.