FortiGuard Tracks HoldingHands Malware Shift: Cross-Regional APT Uses Task Scheduler Hijack to Evade Detection
Ddos 
The current attack flow | Image: FortiGuard Labs
FortiGuard Labs has uncovered a sophisticated cross-regional campaign that has gradually expanded from China to Taiwan, Japan, and most recently Malaysia, revealing a methodical evolution in both targeting and technical capability.
According to the analysis, “In January 2025, FortiGuard Labs observed Winos 4.0 attacks targeting users in Taiwan. In February, it became clear the actor had changed malware families and expanded operations.” What initially appeared to be isolated incidents turned out to be “part of a broader campaign that shifted from China to Taiwan, then Japan, and most recently Malaysia.”
The campaign’s earliest wave relied on phishing PDFs masquerading as official documents from Taiwan’s Ministry of Finance. Fortinet analysts explain that “the campaign relied on phishing emails with PDFs that contained embedded malicious links,” which pointed to files hosted on Tencent Cloud storage. Unique account IDs embedded in these URLs allowed investigators to correlate multiple files to a single actor, effectively mapping the infrastructure behind the scenes.
Subsequent waves replaced the cloud-storage URLs with custom domains featuring the “tw” string — short for Taiwan — to deliver malware via web pages mimicking government or business documents. One PDF “posing as a tax regulation draft for Taiwan, redirected to a Japanese-language page, where victims were tricked into downloading a ZIP that delivered the HoldingHands payload.” This cross-regional link was confirmed when the same C2 IP address (156[.]251[.]17[.]9) was found across both Taiwan and Japan-targeted attacks.
FortiGuard’s technical deep dive revealed that the actor leveraged multi-stage loaders and DLL sideloading to execute payloads stealthily. A malicious component named dokan2.dll acted as a loader for another file, sw.dat, which “sets up the environment for the malware by creating necessary files and escalating privilege.” This component checked system RAM, impersonated the TrustedInstaller service for privilege escalation, and even enumerated security software such as Norton, Avast, and Kaspersky before deciding how to proceed.
If no antivirus processes were detected, the malware cleverly hijacked the Windows Task Scheduler to achieve persistence. As the report notes, “when the Task Scheduler is restarted, svchost.exe is executed and loads the malicious TimeBrokerClient.dll,” making behavior-based detection more difficult. Once loaded, the DLL verified its host process and decrypted additional payloads stored in msvchost.dat, ultimately launching the HoldingHands backdoor under the taskhostw.exe process.
The 2025 variant of HoldingHands retained its previous functionality but introduced several strategic updates. FortiGuard notes, “The key addition is a new C2 task that updates the server IP address via registry entry, enabling attackers to shift infrastructure without redeploying malware.” The configuration registry key remains at
HKEY_CURRENT_USER\SOFTWARE\HHClient, while the termination command has been updated from 0x15 to 0x17.
This flexibility underscores the group’s growing sophistication, allowing them to maintain resilience against takedowns or IP blacklisting.
By mid-2025, FortiGuard researchers linked the same infrastructure to new campaigns in Malaysia, where “twczb[.]com — a domain previously associated with Taiwan-focused phishing — resolved to the same IP address used in the Malaysia-based activity.” In this wave, the HoldingHands malware employed Task Scheduler triggers rather than direct execution, “making behavior-based detection more challenging.”
The FortiGuard team concludes that “threat actors continue to rely on phishing lures and layered evasion to deliver malware while obscuring their activity.” Yet, their own infrastructure reuse provides valuable forensic trails. By tracking “infrastructure, code reuse, and behavioral patterns,” analysts successfully linked campaigns “spanning China, Taiwan, Japan, and now Malaysia.”
Related Posts:
- Taiwan Under Attack: Sophisticated Phishing Campaign Delivers Winos 4.0, HoldingHands RAT, & Gh0stCringe
- Microsoft 365 Startup Boost: Faster Apps, But Is It On by Default Now?
- The Database Was the Door: A Ransomware Attack Began with an Exposed Oracle Serve
- Protecting Malaysians’ Data: New Breach Notification System in Place
- New Agent Tesla Spyware Variant was spread via Microsoft Word documents
Donate