From October and through November German companies from manufacturing, healthcare, business and IT services sectors have been targeted by a new malicious spam campaign impersonating Federal Central Tax Office (Bundeszentralamt für Steuern). These emails seem to be a notification about a tax refund and contain malicious Word document attachment pretending to include information on how to request a refund. If a recipient opens this attachment and enables its macros backdoors, Maze ransomware, and banking Trojans are delivered. Further campaigns in October and November impersonated also the internet service provider 1&1 Internet AG.
Apart from Germany, the new threat actor has been targeting Italy (impersonating the Italian Revenue Agency) and the US (as United States Postal Service).