U.S. taxpayers are being offered fake refunds in the latest wave of phishing emails. Phishing emails deliver an payload that adds the target machine to the multifunctional Amadey botnet. The attack starts with a malicious email purports to be from the Internal Revenue Service (IRS) The recipient is asked to download a document, print and sign, then either mail it back or upload a copy to the portal. Researchers have seen the bot perform many malicious tasks, such as downloading and executing additional malicious tasks.
Source: https://threatpost.com/irs-emails-botnet-recruitment/148473/