Threat actors are exploiting tax season with numerous campaigns leveraging tax themes to deliver malware, remote monitoring tools, fraud attempts, and credential phishing. Over a hundred campaigns have been observed in 2026, with a notable increase in remote monitoring and management (RMM) payloads. Tactics include impersonating tax agencies, claiming expired documents, and requesting tax filing support. While primarily targeting the United States, campaigns have also been observed in Canada, Australia, Switzerland, and Japan. Notable actors include TA4922, a newly designated threat group delivering malware from the Winos4.0 ecosystem, and TA2730, focusing on credential phishing for financial institutions. Business email compromise actors are also using tax form lures to steal financial and personal data. These campaigns demonstrate the ongoing exploitation of timely and topical themes by cybercriminals to deceive users.