Colombian users got an email accusing them of tax fraud and evasion. The criminals claim this is the 3rd notification and direct the user to click on the link to get official notifications. When the victims click, it downloads a new malicious binary from a hacked server located in Ecuador. The malware is obfuscated and leverages different techniques to make the analysis more difficult. It even checks the IP of the victim in order to ensure that victims are from the region of interest for the attacker.”]
Source: https://securelist.com/when-paying-taxes-dont-pay-twice/63779/