Winos 4.0 hackers expand from China, Taiwan to Japan, Malaysia using fake Finance Ministry PDFs to spread HoldingHands RAT malware.
Threat actors behind Winos 4.0 (ValleyRAT) have expanded their attacks from China and Taiwan to Japan and Malaysia, using PDFs disguised as documents from the Finance Ministry to deliver malware.
Attackers employed another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins).
The campaign relied on phishing messages with PDFs that contained embedded malicious links.
“The campaign relied on phishing emails with PDFs that contained embedded malicious links.” reads the report published by Fortinet. “These files masqueraded as official documents from the Ministry of Finance and included numerous links in addition to the one that delivered Winos 4.0.”
Most malicious links pointed to Tencent Cloud, whose unique account IDs allowed analysts to trace multiple phishing files to the same threat operators. The attackers evolved from using cloud storage links to custom domains containing “tw”, suggesting Taiwan-focused targets. One such PDF masquerading as a Taiwanese tax regulation draft redirected users to a Japanese-language site that delivered a HoldingHands payload, linking both campaigns via a shared C2 IP (156.251.17[.]9) and debug path “BackDoor.pdb.”
Attackers digitally signed EXE files to bypass detection. Additional Word and HTML phishing lures reused identical malicious scripts to host payloads on dynamic pages, hiding download links in JSON data to complicate detection. Further analysis of Tencent Cloud APPIDs exposed a broader phishing infrastructure targeting China, dating back to March 2024, also distributing Winos 4.0 through Excel attachments.
Fortinet researchers linked recent Malaysia attacks to earlier Taiwan campaigns by discovering the use of twczb[.]com that resolved to the same IP. The campaign uses simple phishing pages to deliver HoldingHands via a multi-stage flow; unlike earlier variants that dropped EXE files and left artifacts, later stages trigger through the Windows Task Scheduler, complicating behavior-based detection. The attacks chain begins with a malicious dokan2.dll (a Dokany-named shellcode loader) and sw.dat, which performs anti-VM checks, privilege escalation, and drops components (svchost.ini, TimeBrokerClient.dll, msvchost.dat, system.dat) into C:\Windows\System32. The installer enumerates processes for Norton, Avast, and Kaspersky and drops or aborts in case it finds them. The actor kills Task Scheduler so its restart loads svchost, which then loads TimeBrokerClient.dll.
The DLL first checks the process name with a simple ASCII-sum test, then reads svchost.ini to find the address of VirtualAlloc. The library decrypts msvchost.dat into shellcode and runs that code in memory.
The shellcode then decrypts system.dat to get the HoldingHands payload and confirms it’s running in the svchost instance that hosts the Task Scheduler.
Next, it lists active user sessions and copies a logged-on user’s token. Using that token, it starts taskhostw.exe and injects the payload into it. Finally, it watches the process and reinjects the payload if the process stops.
The HoldingHands malware appears to be the same, but attackers added a C2 task that updates the server IP by writing it to the registry. The config key remains HKEY_CURRENT_USER\SOFTWARE\HHClient, and the value AdrrStrChar holds the IP. The new IP-update command is 0x15, and the kill/terminate command was changed to 0x17 (previously 0x15).
“Threat actors continue to rely on phishing lures and layered evasion to deliver malware while obscuring their activity. Yet those same tactics provide valuable clues that link campaigns across borders.” concludes the report. “By following infrastructure, code reuse, and behavioral patterns, FortiGuard Labs has connected attacks spanning China, Taiwan, Japan, and now Malaysia and identified the latest HoldingHands variant in the process.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Winos 4.0)
