Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Winos 4.0 Hackers Expand to Japan and Malaysia with New Malware: A Growing Threat Landscape


Winos 4.0 hackers expand to Japan and Malaysia with new malware, marking a significant milestone in their global reach and highlighting the evolving threat landscape of modern-day cyber attacks.

  • Winos 4.0 hackers have expanded their operations to Japan and Malaysia, marking a significant milestone in their global reach.
  • The hackers are using fake Finance Ministry PDFs to spread HoldingHands RAT malware via phishing messages with embedded malicious links.
  • The malware variant is believed to be the same as previously used by ValleyRAT, but with notable additions for stealth and evasiveness.
  • Traditional antivirus software detection is being bypassed through digital signing of EXE files and reuse of identical scripts.
  • A new campaign in Malaysia was linked to an earlier Taiwan campaign via a shared C2 IP and debug path.
  • The attacks use a multi-stage flow, including a malicious DLL that performs anti-VM checks and privilege escalation.
  • The HoldingHands malware is believed to be the same variant as previously detected, but with added functionality through a C2 task.



    • Malware has become an inevitable part of our digital lives, and the recent expansion of Winos 4.0 hackers to Japan and Malaysia highlights the growing threat landscape that we face today. This malicious actor group, also known as ValleyRAT, has been linked to several high-profile breaches across China and Taiwan in the past. However, their latest campaign marks a significant milestone in their global reach, showcasing the sophistication and cunning of modern-day cyber attackers.

    According to recent reports, Winos 4.0 hackers have begun using fake Finance Ministry PDFs to spread HoldingHands RAT malware in Japan and Malaysia. This new malware variant is believed to be the same as the one previously used by ValleyRAT in other regions, but with some notable additions that make it more stealthy and evasive.

    The campaign relied on phishing messages with embedded malicious links that masqueraded as official documents from the Ministry of Finance. These files contained numerous links, including one that delivered Winos 4.0, which was cleverly disguised to avoid detection by traditional antivirus software. Most malicious links pointed to Tencent Cloud, a popular cloud storage platform in Asia, whose unique account IDs allowed researchers to trace multiple phishing files to the same threat operators.

    The attackers' tactics were not limited to just phishing emails; they also employed custom domains containing "tw," which suggested that the campaign was targeting Taiwan-focused targets. However, one such PDF masquerading as a Taiwanese tax regulation draft redirected users to a Japanese-language site that delivered a HoldingHands payload, linking both campaigns via a shared C2 IP (156.251.17[.]9) and debug path "BackDoor.pdb."

    Furthermore, the attackers digitally signed EXE files to bypass detection by traditional security software, adding an extra layer of sophistication to their malware delivery mechanism. Additionally, they reused identical malicious scripts to host payloads on dynamic pages, hiding download links in JSON data to complicate detection.

    A recent report by Fortinet researchers linked recent Malaysia attacks to earlier Taiwan campaigns by discovering the use of twczb[.]com that resolved to the same IP. The campaign uses simple phishing pages to deliver HoldingHands via a multi-stage flow; unlike earlier variants that dropped EXE files and left artifacts, later stages trigger through the Windows Task Scheduler, complicating behavior-based detection.

    The attacks chain begins with a malicious dokan2.dll (a Dokany-named shellcode loader) and sw.dat, which performs anti-VM checks, privilege escalation, and drops components (svchost.ini, TimeBrokerClient.dll, msvchost.dat, system.dat) into C:\Windows\System32. The installer enumerates processes for Norton, Avast, and Kaspersky and drops or aborts in case it finds them.

    The DLL first checks the process name with a simple ASCII-sum test, then reads svchost.ini to find the address of VirtualAlloc. The library decrypts msvchost.dat into shellcode and runs that code in memory. The shellcode then decrypts system.dat to get the HoldingHands payload and confirms it's running in the svchost instance that hosts the Task Scheduler.

    Next, it lists active user sessions and copies a logged-on user's token. Using that token, it starts taskhostw.exe and injects the payload into it. Finally, it watches the process and reinjects the payload if the process stops. The HoldingHands malware appears to be the same, but attackers added a C2 task that updates the server IP by writing it to the registry.

    The recent campaign marked by Winos 4.0 hackers expanding to Japan and Malaysia highlights the evolving threat landscape of modern-day cyber attacks. Threat actors continue to rely on phishing lures and layered evasion to deliver malware while obscuring their activity. Yet those same tactics provide valuable clues that link campaigns across borders.

    By following infrastructure, code reuse, and behavioral patterns, researchers like FortiGuard Labs have connected attacks spanning China, Taiwan, Japan, and now Malaysia and identified the latest HoldingHands variant in the process. This example serves as a reminder of the importance of vigilance and proactive security measures to combat the ever-evolving threat landscape.

    In conclusion, the recent expansion of Winos 4.0 hackers to Japan and Malaysia marks a significant milestone in their global reach, showcasing the sophistication and cunning of modern-day cyber attackers. As we navigate this complex digital terrain, it is essential that we remain vigilant and proactive in our security measures to combat the growing threat landscape.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Winos-40-Hackers-Expand-to-Japan-and-Malaysia-with-New-Malware-A-Growing-Threat-Landscape-ehn.shtml

  • https://securityaffairs.com/183580/security/winos-4-0-hackers-expand-to-japan-and-malaysia-with-new-malware.html

  • https://www.bleepingcomputer.com/news/security/hackers-increasingly-use-winos40-post-exploitation-kit-in-attacks/

  • https://thehackernews.com/2024/11/new-winos-40-malware-infects-gamers.html

  • https://thehackernews.com/2025/10/silver-fox-expands-winos-40-attacks-to.html

  • https://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan

  • https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat

  • https://any.run/malware-trends/valleyrat/

  • https://thehackernews.com/2025/02/silver-fox-apt-uses-winos-40-malware-in.html

  • https://thehackernews.com/2025/06/silver-fox-apt-targets-taiwan-with.html

  • https://cloudindustryreview.com/silver-fox-apt-launches-sophisticated-gh0stcringe-and-holdinghands-rat-attacks-on-taiwan/


    • Published: Sat Oct 18 15:01:01 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us