Phishing emails are primarily targeting taxpayers in the U.S., enticing them to click on a malicious document purportedly sent by the Internal Revenue Service to get a federal income tax refund. By clicking on the attached document, the recipient opens the door to the installation of malicious code on their device designed to help the Amadey botnet grow. The botnet is being used by threat groups, such as TA505 – believed to be based in Russia – to deliver Trojans and other types of malware that can be used to steal credentials, data and bank information.”]
Source: https://www.cuinfosecurity.com/phony-irs-emails-promise-refund-but-deliver-botnet-instead-a-13126