On March 17th, multiple eFile.com users suspected that the website was “hijacked,” which was confirmed by researchers who spotted an additional file called ‘update.js’ associated with the attack. The ‘update.js’ file attempted to prompt users to download a next stage payload, depending on whether they were using Chrome or Firefox, which antivirus products have already flagged as trojans. The malware payload is a backdoor malware that allows the threat actor to remotely access an infected device. While this is only a basic backdoor, it has enough functionality to give full access to a device, allowing the threat actor initial access to a corporate network for further attacks. It is still unclear if the attack successfully infected any eFile.com visitors and customers.