Do Son 
According to a new threat intelligence report, a highly organized Advanced Persistent Threat (APT) group has launched a sophisticated wave of cyberattacks targeting organizations in Taiwan, weaponizing the very administrative tasks that keep businesses running.
“FortiGuard Labs recently observed several targeted phishing campaigns in Taiwan that use themes designed to exploit local business processes,” the researchers reported.
This campaign introduces a dangerous evolution of the Winos 4.0 (ValleyRat) malware, utilizing rotating cloud infrastructure, memory-resident execution, and vulnerable drivers to compromise enterprise networks.
The threat actors behind this campaign understand that urgency and authority are the best social engineering tools. To trick victims into executing their payloads, the attackers crafted highly localized and convincing decoys.
“These campaigns disseminate Winos 4.0 (ValleyRat) and subsequent malicious plugins through weaponized attachments or embedded links,” the FortiGuard Labs report notes. The lures are carefully designed to “mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads”.
To further legitimize their traps, the attackers are “registering domains that appear to be related to country-specific text to enhance the perceived legitimacy of their tax-themed and official document decoys”. Because this infrastructure is highly volatile and constantly rotating, analysts warn that “traditional, static domain blocking [is] insufficient as a primary defense”.
Once the victim takes the bait, a multi-stage infection process begins. Over a two-month observation period, researchers identified a diverse arsenal of delivery techniques.
These techniques included “malicious LNK files used for a downloader, DLL sideloading via legitimate executables to load shellcode, and BYOVD (Bring Your Own Vulnerable Driver) attacks using ‘wsftprm.sys'”.
By employing a BYOVD attack, the hackers bypass Windows kernel protections by dropping a legitimately signed, but known-vulnerable, driver onto the system to execute malicious code at the highest privilege levels.
Furthermore, the attackers are becoming stealthier. “The technical evolution of this group is evident in their shift toward memory-resident execution for additional plugins, leaving minimal physical footprints on the local disk,” the report explains.
While the attackers went to great lengths to hide their malware, they made critical operational security errors. During an environmental check routine observed in August 2025, investigators uncovered overlapping infrastructure and consistent development machine identifiers.
This slip-up allowed researchers to tie the activity to a “specialized subgroup within Silver Fox,” a known APT group operating in Asia.
The investigation also led to “The exposure of internal project names, such as 倧馬ε°ζ‘”. According to FortiGuard Labs, this level of coordination “indicates a well-organized operation with a mature toolset and structured planning”.
As the Silver Fox subgroup continues to refine its tactics, security teams across Asia must adapt. Because the attackers are exploiting routine business processes, the frontline defense must be employee awareness.
“As this threat actor continues to refine its evasion techniques and infrastructure, users and organizations must remain highly vigilant. It is critical to treat any documents or links from non-trusted sources with extreme caution to prevent infection by this evolving threat,” the report concludes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
