- Sony is giving away free 65-inch 4K TVs right now - here's how to qualify for the deal
- Continuous Threat Exposure Management (CTEM): The Future of Vulnerability Assessment
- This smart luggage lock has effectively replaced the AirTag for me when traveling
- Don't make this common Nintendo Switch 2 mistake - this is the microSD card I use
- This clever keychain accessory has made my life so much easier (and it's cheap)
Taiwan Hit by Sophisticated Phishing Campaign
A coordinated phishing campaign targeting users in Taiwan has been observed using malware variants like Winos 4.0 and the HoldingHands remote access Trojan (RAT) to gain long-term access to infected systems.
According to a new advisory by FortiGuard Labs, the campaign began in January 2025, using emails impersonating Taiwan’s National Taxation Bureau. These messages contain links to files or ZIP archives, some password-protected, which execute a complex payload chain upon user interaction.
The malware employs legitimate executables for side-loading, evading standard detection tools. According to FortiGuard, multiple files, such as shellcode loaders and encrypted payloads, work in tandem to establish persistence.
“This isn’t just opportunistic cybercrime, it’s strategic,” said Chad Cragle, chief information security officer at Deepwatch.
“Using tax-themed phishing to impersonate a trusted government agency is a calculated tactic designed to drive clicks and compromise systems.”
One unique technique involves hiding essential Windows API calls by encoding them into file names. For example, the filename DwhsOqnbdrr.dll decodes to the API ExitProcess by shifting each letter.
“Attackers introduced a filename-cipher,” explained Jason Soroko, senior fellow at Sectigo.
“Dokan2.dll resolves these names in memory, patches the IAT and launches the shellcode, evading static string scans and many EDR import hook defenses.”
New Tactics Signal Increasing Sophistication
The threat group behind the attacks has adopted an approach that involves more than just typical phishing.
Email messages sent by the group often include realistic attachments or links to fake download pages, embedding malware inside password-protected ZIPs. This extra step complicates analysis and reduces the chance of early detection.
Over time, the group has expanded its toolkit. In addition to Winos and HoldingHands, analysts observed the use of another malware variant, Gh0stCringe. Each operates in a chain, leading to the installation of secondary modules like remote desktop tools and file managers.
“This Taiwan-focused campaign shows how attackers are getting smarter about social engineering,” said J Stephen Kowski, field CTO at SlashNext.
“What’s particularly concerning is how they’re using legitimate-looking ZIP files and multi-stage infection chains to slip past traditional email security.”
The tactics used in this campaign, while currently focused on Taiwan, suggest a broader threat landscape.
“This issue isn’t confined to Taiwan,” Cragle added.
“Similar attacks are occurring worldwide.”
Some antivirus tools can detect and block components of this malware chain, but experts recommend stronger defenses.
“Defenders must strengthen layered email security, ongoing user training and real-time threat intelligence to stay ahead of campaigns like this,” Cragle concluded.
