Taiwan Under Attack: Sophisticated Phishing Campaign Delivers Winos 4.0, HoldingHands RAT, & Gh0stCringe

In a detailed investigation published by FortiGuard Labs, a persistent and highly coordinated malware campaign has been observed targeting users in Taiwan. The campaign, which began in January 2025, uses advanced phishing lures impersonating Taiwan’s National Taxation Bureau, distributing malicious payloads including Winos 4.0, HoldingHands RAT, and Gh0stCringe.

The attackers use phishing emails designed to exploit urgency and legitimacy. Common topics include tax forms, pensions, and invoices. Many emails embed images linked to HTML pages that lead to malware-laced downloads or password-protected ZIP archives.

One such email in March 2025 included a PDF attachment disguised as an account statement, which linked to a domain named twszz[.]xin, a naming pattern consistent with other campaigns targeting Taiwanese users.

“The HTML filename claims to include account statement details… This link enabled us to trace the attack and identify additional malware samples,” the report stated.

Once the user interacts with the phishing lure, the real damage begins. Victims are tricked into downloading a ZIP archive that contains a mix of legitimate and malicious files, including:

• Executable files (e.g., TaskServer.exe)
• Shellcode loaders (dokan2.dll)
• Encrypted shellcode payloads (msgDb.dat)

These are orchestrated in a multi-stage side-loading attack flow. According to FortiGuard, the Dokan2.dll file initiates the sequence by decrypting shellcode from dxpi.txt, executing it after hiding the application window.

The malware contains embedded logic to detect virtualized environments and attempts privilege escalation by impersonating high-privilege services like WinLogon and TrustedInstaller. Once elevated, it:

• Drops additional payloads in C:\Program Files (x86)\WindowsPowerShell\Update
• Installs registry markers under SOFTWARE\MsUpTas
• Evades detection by checking for Kaspersky (avp.exe) and sandbox memory limitations

“If the amount of physically installed RAM is less than 8 GB, it exits” — a classic anti-VM evasion technique

At the heart of HoldingHands is msgDb.dat, which manages communication with the C2 server using a custom packet structure. It supports a wide array of C2 commands, such as:

• Heartbeat beacons (every 3 minutes or triggered by user inactivity/activity)
• System data collection (IP, username, OS, CPU specs, etc.)
• Remote module downloads and execution

Three modules have been observed so far:

• RDTP – Remote Desktop
• RDTP (DXGI variant) – Alternate Remote Desktop module
• FMGR – File Manager

Each module shares a structure with the base malware and is invoked using a common export function ModuleEntry.

“Some modules appear to be simplified versions, as indicated by the term ‘jingjianban’ (meaning ‘lite version’ in Chinese),” the report explains.

The report notes the attackers are not standing still. Over recent months, they’ve transitioned between Winos, HoldingHands, and Gh0stCringe, all while evolving their dropper chain, obfuscation techniques, and persistence mechanisms.

Related Posts:

• Phishing Campaign Delivers Winos 4.0: Keyloggers, UAC Bypass, and More
• Stealthy Catena Loader Delivers Winos RAT via Trojanized App Installers
• Europol and the British National Crime Bureau banned a crime ring linked to Luminosity RAT
• Threat Actor Deploys LummaC2 and Rhadamanthys Stealers in Attacks on Taiwanese Facebook Accounts
• Earth Kasha Refines Spear-Phishing Tactics in Espionage Campaign Targeting Taiwan and Japan

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy