Threat actors behind the Winos 4.0 malware family (also tracked as ValleyRAT) have expanded the operations beyond China and Taiwan to target victims in Japan and Malaysia, cybersecurity firm Fortinet has warned.
The campaign now deploys a second remote access trojan (RAT), tracked as HoldingHands RAT (aka Gh0stBins), alongside Winos 4.0. Fortinet researchers said the attacks begin with phishing e-mails carrying malicious PDF attachments that contain embedded malicious links. In several cases the PDFs impersonated official tax or finance documents and linked to download pages that delivered malicious ZIPs and executables.
Winos 4.0 has long been distributed via phishing and search engine optimization (SEO) poisoning. The malware family is associated with the Chinese cybercrime group Silver Fox (also tracked as SwimSnake and Valley Thief). Its recent activities include a Bring-Your-Own-Vulnerable-Driver (BYOVD) operation that used a vulnerable driver linked to WatchDog Anti-malware.
The threat actors has been observed using PDF lures posed as Taiwanese tax drafts pointed to a Japanese-language download page that delivered HoldingHands, while other campaigns in Malaysia used fake landing pages and an executable claiming to be an excise audit to initiate the infection. In some China-focused incidents dating back to March 2024, taxation-themed Excel documents were used to spread Winos.
An initial executable sideloads a malicious DLL that acts as a shellcode loader, and a payload named “sw.dat” performs anti-VM checks, enumerates running processes to detect and terminate security products (including Avast, Norton and Kaspersky), escalates privileges and disrupts the Windows Task Scheduler. Fortinet noted the attackers place files in C:WindowsSystem32 and abuse Task Scheduler recovery behavior to trigger a malicious TimeBrokerClient.dll without a direct process launch.
For privilege escalation the malware impersonates high-privilege Windows accounts by enabling the SeDebugPrivilege privilege to gain access to the Winlogon process and its security token. The Winlogon token is then run as SYSTEM and proceeds to obtain a TrustedInstaller context so it can rename and replace protected system DLLs required for its Task Scheduler-based execution.
Once deployed, HoldingHands establishes communications with a remote server, reports host information, and accepts attacker commands to capture data, execute commands and fetch further payloads. Fortinet also observed a new feature that allows operators to update the malware’s command-and-control address via a Windows Registry entry.
Both Winos 4.0 and HoldingHands are based on the Gh0st RAT malware. Gh0st RAT’s source code leaked in 2008 and has since been widely repurposed by multiple Chinese-linked groups. Fortinet said Chinese speakers appear to be a primary focus of the latest campaign and that the most likely motivation appears to be regional intelligence collection, with the malware lying dormant as it awaits further commands.