✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Accounting
Breach intelligence, attack campaigns, and threat reports targeting the Accounting sector.
Explore Other Sectors
Accounting Threat Reports
Silent Ransom Group's Bold Tactics: A Wake-Up Call for Law Firms
Between January and May 2026, the Silent Ransom Group (SRG), also known as UNC3753, targeted numerous U.S. law firms through a sophisticated data theft extortion campaign. The attackers employed a combination of voice phishing (vishing), social engineering, and physical office intrusions. Initially, they contacted employees via phone calls or phishing emails, posing as IT support to gain remote access. If these attempts failed, SRG operatives visited offices in person, impersonating IT staff to physically access systems and exfiltrate sensitive data using USB drives or external hard drives. The stolen data included contracts, personal information, and financial records, which were then used to extort victims under the threat of public disclosure. ([darkreading.com](https://www.darkreading.com/cyberattacks-data-breaches/silent-ransom-us-law-firms-extortion-attacks?utm_source=openai)) This incident underscores a concerning evolution in cybercriminal tactics, blending traditional social engineering with physical infiltration. The legal sector, handling highly sensitive client information, remains a prime target. Organizations must enhance their security protocols, including employee training on social engineering, stringent verification processes for IT support requests, and robust physical security measures to prevent unauthorized access.
2 weeks ago
Kill Chain
Unauthorized Access to Anthropic's Mythos AI Model Highlights Security Challenges
In April 2026, unauthorized individuals gained access to Anthropic's advanced AI model, Claude Mythos, which is designed to detect software vulnerabilities across major operating systems and web browsers. This breach occurred through exploitation of a third-party evaluator and data from a previous security incident involving AI recruitment startup Mercor. The unauthorized access raised significant concerns about the potential misuse of Mythos's capabilities, as the model had previously identified numerous vulnerabilities, including 271 in Mozilla's Firefox browser alone. ([techradar.com](https://www.techradar.com/pro/security/mythos-accessed-by-unauthorized-users-as-anthropic-says-were-investigating-cracks-may-be-showing-in-project-glasswing-as-unknown-users-access-model-via-third-parties?utm_source=openai)) The incident underscores the dual-edged nature of AI in cybersecurity. While AI models like Mythos can significantly enhance vulnerability detection and remediation, they also present new attack vectors if not properly secured. This breach highlights the urgent need for robust security measures and oversight in the deployment of powerful AI systems to prevent their exploitation by malicious actors.
1 month ago
Kill Chain
Silver Fox's Tax-Themed Phishing Campaign Unveils New ABCDoor Malware
In December 2025, the China-backed threat group Silver Fox initiated a phishing campaign targeting organizations in India and Russia. The attackers sent emails impersonating tax authorities, prompting recipients to download archives purportedly containing lists of tax violations. These archives contained a modified Rust-based loader that deployed the known ValleyRAT backdoor and a previously undocumented Python-based backdoor named ABCDoor. Between early January and early February 2026, over 1,600 such malicious emails were recorded, affecting sectors including industrial, consulting, retail, and transportation. ([darkreading.com](https://www.darkreading.com/endpoint-security/silver-fox-tax-themed-attacks-india-russia?utm_source=openai)) This incident underscores the evolving tactics of APT groups, particularly their use of sophisticated social engineering techniques and novel malware to infiltrate organizations. The discovery of ABCDoor highlights the continuous development of custom tools by threat actors to evade detection and maintain persistence. ([darkreading.com](https://www.darkreading.com/endpoint-security/silver-fox-tax-themed-attacks-india-russia?utm_source=openai))
1 month ago
Kill Chain
Silver Fox's Tax-Themed Phishing Campaign Unveils New ABCDoor Malware
In December 2025, the China-based cybercrime group Silver Fox initiated a sophisticated phishing campaign targeting organizations in India and Russia. The attackers sent emails impersonating official tax authorities, prompting recipients to download archives purportedly containing lists of tax violations. These archives contained a modified Rust-based loader that deployed the ValleyRAT backdoor, which subsequently installed a new Python-based backdoor named ABCDoor. This malware granted attackers remote access to infected systems, enabling data exfiltration and real-time control over compromised devices. ([thehackernews.com](https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html?utm_source=openai)) This incident underscores the evolving tactics of cybercriminal groups, particularly their use of tax-themed phishing lures and advanced malware to infiltrate organizations. The deployment of ABCDoor highlights the continuous development of sophisticated tools aimed at evading detection and maintaining persistent access to targeted systems. ([thehackernews.com](https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html?utm_source=openai))
1 month ago
Kill Chain
Silver Fox Exploits Japan's Tax Season in 2025 Phishing Campaign
In early 2025, the Chinese state-aligned threat actor known as Silver Fox launched a sophisticated phishing campaign targeting Japanese organizations during the tax season. By impersonating official entities such as the National Taxation Bureau, Silver Fox distributed emails containing malicious attachments and links, leading recipients to download trojanized versions of legitimate software. Once installed, these malicious programs deployed remote access trojans (RATs) like ValleyRAT and Winos 4.0, enabling unauthorized access, data exfiltration, and potential financial fraud. The campaign's timing exploited the heightened activity and urgency associated with tax season, increasing the likelihood of successful infiltration. ([trustwave.com](https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/inside-silver-foxs-den-trustwave-spiderlabs-unmasks-a-global-threat-actor/?utm_source=openai)) This incident underscores a growing trend where state-sponsored threat actors blend espionage with financially motivated cybercrime. Silver Fox's operations highlight the evolving landscape of cyber threats, where attackers leverage seasonal events and trusted software to enhance the effectiveness of their campaigns. Organizations must remain vigilant, especially during periods of increased administrative activity, to mitigate the risks posed by such multifaceted threats. ([darkreading.com](https://www.darkreading.com/threat-intelligence/silver-fox-apt-espionage-cybercrime?utm_source=openai))
2 months ago
Kill Chain
Malvertising Campaign Exploits ScreenConnect and Huawei Driver to Bypass EDR Systems
In March 2026, a large-scale malvertising campaign targeted U.S. individuals searching for tax-related documents. Attackers used Google Ads to distribute rogue installers for ConnectWise ScreenConnect, which deployed a tool named HwAudKiller. This tool exploited a vulnerable Huawei driver to disable endpoint detection and response (EDR) systems, allowing the installation of additional malware without detection. The campaign highlights the increasing sophistication of cyber threats leveraging legitimate tools and vulnerabilities to bypass security measures. Organizations must remain vigilant against such tactics, especially during periods when users are likely to seek specific information, such as tax season.
3 months ago
Kill Chain
Microsoft IRS Phishing Campaign 2026: A Deep Dive
In March 2026, Microsoft identified a sophisticated phishing campaign exploiting the U.S. tax season to target over 29,000 users across 10,000 organizations. Attackers impersonated the Internal Revenue Service (IRS), sending emails that prompted recipients to download a fake 'IRS Transcript Viewer.' This malicious software facilitated the deployment of Remote Monitoring and Management (RMM) tools like ScreenConnect, granting attackers persistent access to compromised systems. The campaign predominantly affected sectors such as financial services, technology, and retail, with 95% of targets located in the U.S. This incident underscores a growing trend where cybercriminals leverage trusted brands and urgent themes to deceive users. The use of legitimate RMM tools for malicious purposes highlights the evolving tactics of threat actors, emphasizing the need for heightened vigilance and robust security measures during periods of increased cyber threat activity.
3 months ago
Kill Chain
UK's Companies House Security Flaw Exposes Business Data - 2026
In March 2026, the UK's Companies House disclosed a significant security vulnerability in its WebFiling service, which had been present since October 2025. This flaw allowed authenticated users to access and potentially modify sensitive information of any registered company by exploiting a back-navigation loophole. The exposed data included directors' residential addresses, email addresses, and dates of birth. The agency has since rectified the issue, notified affected parties, and reported the incident to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). This incident underscores the critical importance of rigorous security testing and prompt response to vulnerabilities in public sector digital services. The exposure of personal data over an extended period raises concerns about potential misuse and the necessity for enhanced monitoring and compliance measures to protect sensitive information.
3 months ago
Kill Chain
Phobos Ransomware Leader Evgenii Ptitsyn Pleads Guilty in 2026
In March 2026, Russian national Evgenii Ptitsyn pleaded guilty to leading the Phobos ransomware group, which extorted over $39 million from more than 1,000 victims worldwide. Operating from November 2020 until his arrest in May 2024, Ptitsyn managed the distribution of Phobos ransomware to affiliates who infiltrated networks—often using stolen credentials—to encrypt data and demand ransoms. Victims included healthcare providers, educational institutions, and critical infrastructure entities. Ptitsyn faces up to 20 years in prison for wire fraud conspiracy and has agreed to forfeit $1.77 million in assets and pay at least $39.3 million in restitution. ([cyberscoop.com](https://cyberscoop.com/phobos-ransomware-leader-guilty/?utm_source=openai)) This case underscores the persistent threat posed by ransomware-as-a-service (RaaS) models, where developers supply malware to affiliates who execute attacks. Despite law enforcement successes, such as the dismantling of major ransomware groups in 2024, the adaptability of cybercriminals necessitates ongoing vigilance and robust cybersecurity measures across all sectors.
3 months ago
Kill Chain
Nigerian Hacker Sentenced for Tax Firm Breach Using Warzone RAT
Between June 2016 and June 2021, Nigerian national Matthew Abiodun Akande orchestrated a sophisticated cyber intrusion targeting multiple tax preparation firms in Massachusetts. Utilizing phishing emails that impersonated a CEO, Akande deployed the Warzone remote-access trojan (RAT) to infiltrate the firms' networks. This allowed him to steal clients' personal information, leading to the filing of over 1,000 fraudulent tax returns and the illicit collection of more than $1.3 million in refunds. Akande was arrested in October 2024 at London's Heathrow Airport, extradited to the United States in March 2025, and sentenced to eight years in prison in February 2026. ([justice.gov](https://www.justice.gov/usao-ma/pr/nigerian-man-sentenced-eight-years-prison-computer-intrusion-and-theft?utm_source=openai)) This incident underscores the persistent threat posed by sophisticated phishing campaigns and the use of advanced malware like RATs in financial fraud schemes. It highlights the critical need for organizations, especially those handling sensitive client data, to implement robust cybersecurity measures and employee training to prevent such breaches.
4 months ago
Kill Chain
Unveiling the 2026 Tax Preparation Firm Phishing Scheme by Matthew Akande
Between June 2016 and June 2021, Matthew A. Akande, a Nigerian national residing in Mexico, orchestrated a cyber intrusion targeting Massachusetts tax preparation firms. Utilizing phishing emails embedded with Warzone RAT malware, Akande and his co-conspirators gained unauthorized access to sensitive client data, including personally identifiable information (PII) and prior tax records. This stolen information was then used to file over 1,000 fraudulent tax returns, seeking more than $8.1 million in refunds. The illicit proceeds, totaling over $1.3 million, were funneled through U.S. bank accounts and partially transferred to associates in Mexico. ([justice.gov](https://www.justice.gov/usao-ma/pr/nigerian-man-sentenced-eight-years-prison-computer-intrusion-and-theft?utm_source=openai)) This case underscores the persistent threat posed by sophisticated phishing attacks and the exploitation of remote access tools in financial fraud schemes. The incident highlights the critical need for robust cybersecurity measures within tax preparation firms to safeguard client data against such intrusions.
4 months ago
Kill Chain
Dropbox Phishing Attack 2026: Credential Theft via Fake PDF Lures
In early 2026, a sophisticated phishing campaign targeted corporate users by distributing emails with PDF attachments labeled as 'request orders.' These PDFs contained links leading to a fake Dropbox login page designed to harvest user credentials. The attack employed a multi-stage obfuscation strategy, utilizing legitimate cloud services to host intermediary documents, thereby evading traditional email security filters. Upon entering their credentials, victims' information, including email and password, was exfiltrated to attacker-controlled infrastructure, enabling potential account takeovers and further malicious activities. This incident underscores the evolving tactics of cybercriminals who exploit trusted platforms and file formats to deceive users. The use of legitimate services for hosting malicious content highlights the need for enhanced vigilance and advanced security measures to detect and prevent such sophisticated phishing attacks.
4 months ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports