A new campaign is targeting companies in Taiwan with malware known as Winos 4.0 as part of phishing emails masquerading as the country’s National Taxation Bureau.
The campaign, detected last month by Fortinet FortiGuard Labs, marks a departure from previous attack chains that have leveraged malicious game-related applications.
“The sender claimed that the malicious file attached was a list of enterprises scheduled for tax inspection and asked the receiver to forward the information to their company’s treasurer,” security researcher Pei Han Liao said in a report shared with The Hacker News.
The attachment mimics an official document from the Ministry of Finance, urging the recipient to download the list of enterprises scheduled for tax inspection.
But in reality, the list is a ZIP file containing a malicious DLL (“lastbld2Base.dll”) that lays the groundwork for the next attack stage, leading to the execution of shellcode that’s responsible for downloading a Winos 4.0 module from a remote server (“206.238.221[.]60”) for gathering sensitive data.
The component, described as a login module, is capable of taking screenshots, logging keystrokes, altering clipboard content, monitoring connected USB devices, running shellcode, and permitting the execution of sensitive actions (e.g., cmd.exe) when security prompts from Kingsoft Security and Huorong are displayed.
Fortinet said it also observed a second attack chain that downloads an online module that can capture screenshots of WeChat and online banks.
It’s worth noting that the intrusion set distributing the Winos 4.0 malware has been assigned the monikers Void Arachne and Silver Fox, with the malware also overlapping with another remote access trojan tracked as ValleyRAT.
“They are both derived from the same source: Gh0st RAT, which was developed in China and open-sourced in 2008,” Daniel dos Santos, Head of Security Research at Forescout’s Vedere Labs, told The Hacker News.
“Winos and ValleyRAT are variations of Gh0st RAT attributed to Silver Fox by different researchers at different points in time. Winos was a name commonly used in 2023 and 2024 while now ValleyRAT is more commonly used. The tool is constantly evolving, and it has both local Trojan/RAT capabilities as well as a command-and-control server.”
ValleyRAT, first identified in early 2023, has been recently observed using fake Chrome sites as a conduit to infect Chinese-speaking users. Similar drive-by download schemes have also been employed to deliver Gh0st RAT.
Furthermore, Winos 4.0 attack chains have incorporated what’s called a CleverSoar installer that’s executed by means of an MSI installer package distributed as fake software or gaming-related applications. Also dropped alongside Winos 4.0 via CleverSoar is the open-source Nidhogg rootkit.
“The CleverSoar installer […] checks the user’s language settings to verify if they are set to Chinese or Vietnamese,” Rapid7 noted in late November 2024. “If the language is not recognized, the installer terminates, effectively preventing infection. This behavior strongly suggests that the threat actor is primarily targeting victims in these regions.”
The disclosure comes as the Silver Fox APT has been linked to a new campaign that leverages trojanized versions of Philips DICOM viewers to deploy ValleyRAT, which is then used to drop a keylogger, and a cryptocurrency miner on victim computers. Notably, the attacks have been found to use a vulnerable version of the TrueSight driver to disable antivirus software.
“This campaign leverages trojanized DICOM viewers as lures to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain,” Forescout said.
