Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations

The Hacker News by The Hacker News
February 27, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Feb 27, 2025Ravie LakshmananMalware / Threat Intelligence

A new campaign is targeting companies in Taiwan with malware known as Winos 4.0 as part of phishing emails masquerading as the country’s National Taxation Bureau.

The campaign, detected last month by Fortinet FortiGuard Labs, marks a departure from previous attack chains that have leveraged malicious game-related applications.

“The sender claimed that the malicious file attached was a list of enterprises scheduled for tax inspection and asked the receiver to forward the information to their company’s treasurer,” security researcher Pei Han Liao said in a report shared with The Hacker News.

The attachment mimics an official document from the Ministry of Finance, urging the recipient to download the list of enterprises scheduled for tax inspection.

Cybersecurity

But in reality, the list is a ZIP file containing a malicious DLL (“lastbld2Base.dll”) that lays the groundwork for the next attack stage, leading to the execution of shellcode that’s responsible for downloading a Winos 4.0 module from a remote server (“206.238.221[.]60”) for gathering sensitive data.

The component, described as a login module, is capable of taking screenshots, logging keystrokes, altering clipboard content, monitoring connected USB devices, running shellcode, and permitting the execution of sensitive actions (e.g., cmd.exe) when security prompts from Kingsoft Security and Huorong are displayed.

Fortinet said it also observed a second attack chain that downloads an online module that can capture screenshots of WeChat and online banks.

It’s worth noting that the intrusion set distributing the Winos 4.0 malware has been assigned the monikers Void Arachne and Silver Fox, with the malware also overlapping with another remote access trojan tracked as ValleyRAT.

“They are both derived from the same source: Gh0st RAT, which was developed in China and open-sourced in 2008,” Daniel dos Santos, Head of Security Research at Forescout’s Vedere Labs, told The Hacker News.

“Winos and ValleyRAT are variations of Gh0st RAT attributed to Silver Fox by different researchers at different points in time. Winos was a name commonly used in 2023 and 2024 while now ValleyRAT is more commonly used. The tool is constantly evolving, and it has both local Trojan/RAT capabilities as well as a command-and-control server.”

ValleyRAT, first identified in early 2023, has been recently observed using fake Chrome sites as a conduit to infect Chinese-speaking users. Similar drive-by download schemes have also been employed to deliver Gh0st RAT.

Furthermore, Winos 4.0 attack chains have incorporated what’s called a CleverSoar installer that’s executed by means of an MSI installer package distributed as fake software or gaming-related applications. Also dropped alongside Winos 4.0 via CleverSoar is the open-source Nidhogg rootkit.

Cybersecurity

“The CleverSoar installer […] checks the user’s language settings to verify if they are set to Chinese or Vietnamese,” Rapid7 noted in late November 2024. “If the language is not recognized, the installer terminates, effectively preventing infection. This behavior strongly suggests that the threat actor is primarily targeting victims in these regions.”

The disclosure comes as the Silver Fox APT has been linked to a new campaign that leverages trojanized versions of Philips DICOM viewers to deploy ValleyRAT, which is then used to drop a keylogger, and a cryptocurrency miner on victim computers. Notably, the attacks have been found to use a vulnerable version of the TrueSight driver to disable antivirus software.

“This campaign leverages trojanized DICOM viewers as lures to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain,” Forescout said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Metanoia stellt MT5824 vor: Die 4T4R O-RU-Lösung mit dem weltweit geringsten Stromverbrauch und Platzbedarf

Metanoia stellt MT5824 vor: Die 4T4R O-RU-Lösung mit dem weltweit geringsten Stromverbrauch und Platzbedarf

Recommended.

Palo Alto Networks Completes B Acquisition Of CyberArk For Identity Security Push

Palo Alto Networks Completes $25B Acquisition Of CyberArk For Identity Security Push

February 11, 2026
TDS reports fourth quarter and full year 2024 results

TDS reports fourth quarter and full year 2024 results

February 22, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio