- Unlock the AI Skills to Transform Your Data Center
- Most US workers don't use AI at work yet. This study suggests a reason why
- OpenAI finally unveils GPT-4.5. Here's what it can do
- This $100 Android phone reminded me of my Pixel 9 Pro in the best way
- Are Your VM Scans Testing the Entirety of the Network?
Winos 4.0 Malware Targets Taiwan With Email Impersonation
A new malware campaign using Winos 4.0 that targets organizations in Taiwan through email impersonation has been uncovered by cybersecurity experts.
FortiGuard Labs observed the attack in January 2025, noting that the malware, previously distributed via gaming applications, is now being spread through phishing emails disguised as official tax documents.
Attack Methodology
The phishing emails claim to originate from Taiwan’s National Taxation Bureau, urging recipients to download an attachment containing a list of companies scheduled for tax inspection.
However, the attachment is a ZIP file that includes malicious DLL files, which initiate the attack upon execution.
Key elements of the attack chain:
-
The phishing email mimics official government communication
-
A ZIP file contains disguised executable files
-
Execution triggers the download of Winos 4.0 from a command-and-control (C2) server
Jason Soroko, a senior fellow at Sectigo, noted that the attack “marks a clear shift in cybercrime” by using government impersonation and advanced obfuscation.
“By exploiting trust in official government communications, everyday fiscal notices are turned into malware delivery vehicles.” He also pointed out that Winos 4.0’s design, which embeds its payload within registry keys, “forces a re-examination of detection methods” and offers forensic clues despite its sophisticated evasion techniques.
Once installed, Winos 4.0 carries out multiple malicious activities, including keylogging, screen capturing, clipboard monitoring and bypassing security measures.
The malware operates stealthily by using registry keys to store encrypted configurations, making detection more difficult.
The malware’s modules perform the following tasks:
-
MainThread: Ensures persistence, prevents system sleep and disables security prompts
-
Screenshot: Captures images of sensitive applications like WeChat and online banking
-
Keylog: Records keystrokes and clipboard activity
-
USB Monitoring: Logs USB device insertions and removals
-
Anti-AV Measures: Disables security software and bypasses User Account Control (UAC)
Understanding Phishing Attacks
J. Stephen Kowski, field CTO at SlashNext, described the attack as “a classic phishing pattern with a fun twist” by using tax authorities to invoke urgency and curiosity.
“Threat actors cleverly exploit human psychology, making recipients more likely to download what appears to be an important tax document but is actually malicious code.” He emphasized that modern AI-powered security tools can detect deception patterns in emails before users even interact with them.
Organizations are encouraged to keep their antivirus databases updated and educate employees about phishing threats through training programs.
Kowski also advised companies to implement “multi-layered protection that combines user education with advanced threat detection technologies.”
He recommended using managed file transfer systems that require registration and approval while blocking ZIP attachments altogether.
