The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins).
“The campaign relied on phishing emails with PDFs that contained embedded malicious links,” Pei Han Liao, researcher with Fortinet’s FortiGuard Labs, said in a report shared with The Hacker News. “These files masqueraded as official documents from the Ministry of Finance and included numerous links in addition to the one that delivered Winos 4.0.”
Winos 4.0 is a malware family that’s often spread via phishing and search engine optimization (SEO) poisoning, directing unsuspecting users to fake websites masquerading as popular software like Google Chrome, Telegram, Youdao, Sogou AI, WPS Office, and DeepSeek, among others.
The use of Winos 4.0 is primarily linked to an “aggressive” Chinese cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.
Last month, Check Point attributed the threat actor to the abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disabling security software installed on compromised hosts.
Then weeks later, Fortinet shed light on another campaign that took place in August 2025, leveraging SEO poisoning to distribute HiddenGh0st and modules associated with the Winos malware.
Silver Fox’s targeting of Taiwan and Japan with HoldingHands RAT was also documented by the cybersecurity company and a security researcher named somedieyoungZZ back in June, with the attackers employing phishing emails containing booby-trapped PDF documents to activate a multi-stage infection that ultimately deploys the trojan.
It’s worth noting at this stage that both Winos 4.0 and HoldingHands RAT are inspired by another RAT malware referred to as Gh0st RAT, which had its source code leaked in 2008 and has since been widely adopted by various Chinese hacking groups.
Fortinet said it identified PDF documents posing as a tax regulation draft for Taiwan that included a URL to a Japanese language web page (“twsww[.]xin/download[.]html”), from where victims are prompted to download a ZIP archive responsible for delivering HoldingHands RAT.
Further investigation has uncovered attacks targeting China that have utilized taxation-themed Microsoft Excel documents as lures, some dating back to March 2024, to distribute Winos. Recent phishing campaigns, however, have shifted their focus to Malaysia, using fake landing pages to deceive recipients into downloading HoldingHands RAT.
The starting point is an executable claiming to be an excise audit document. It’s used to sideload a malicious DLL, which functions as a shellcode loader for “sw.dat,” a payload that’s designed to run anti-virtual machine (VM) checks, enumerate active processes against a list of security products from Avast, Norton, and Kaspersky, and terminate them if found, escalate privileges, and terminate the Task Scheduler.
It also drops several other files in the system’s C:WindowsSystem32 folder –
- svchost.ini, which contains the Relative Virtual Address (RVA) of VirtualAlloc function
- TimeBrokerClient.dll, the legitimate TimeBrokerClient.dll renamed as BrokerClientCallback.dll.
- msvchost.dat, which contains the encrypted shellcode
- system.dat, which contains the encrypted payload
- wkscli.dll, an unused DLL
“The Task Scheduler is a Windows service hosted by svchost.exe that allows users to control when specific operations or processes are run,” Fortinet said. “The Task Scheduler’s recovery setting is configured to restart the service one minute after it fails by default.”
“When the Task Scheduler is restarted, svchost.exe is executed and loads the malicious TimeBrokerClient.dll. This trigger mechanism does not require the direct launch of any process, making behavior-based detection more challenging.”
The primary function of “TimeBrokerClient.dll” is to allocate memory for the encrypted shellcode within “msvchost.dat” by invoking the VirtualAlloc() function using the RVA value specified in “svchost.ini.” In the next stage, “msvchost.dat” decrypts the payload stored in “system.dat” to retrieve the HoldingHands payload.
HoldingHands is equipped to connect to a remote server, send host information to it, send a heartbeat signal every 60 seconds to maintain the connection, and receive and process attacker-issued commands on the infected system. These commands allow the malware to capture sensitive information, run arbitrary commands, and download additional payloads.
A new feature addition is a new command that makes it possible to update the command-and-control (C2) address used for communications via a Windows Registry entry.
Operation Silk Lure Targets China with ValleyRAT
The development comes as Seqrite Labs detailed an ongoing email-based phishing campaign that has leveraged C2 infrastructure hosted in the U.S., targeting Chinese companies in the fintech, cryptocurrency, and trading platform sectors to ultimately deliver Winos 4.0. The campaign has been codenamed Operation Silk Lure, owing to its China-related footprint.
“The adversaries craft highly targeted emails impersonating job seekers and send them to HR departments and technical hiring teams within Chinese firms,” researchers Dixit Panchal, Soumen Burma, and Kartik Jivani said.
“These emails often contain malicious .LNK (Windows shortcut) files embedded within seemingly legitimate résumés or portfolio documents. When executed, these .LNK files act as droppers, initiating the execution of payloads that facilitate initial compromise.”
The LNK file, when launched, runs PowerShell code to download a decoy PDF resume, while stealthily dropping three additional payloads to the “C:Users<user>AppDataRoamingSecurity” location and executing it. The PDF resumes are localized and tailored for Chinese targets so as to increase the likelihood of success of the social engineering attack.
The payloads dropped are as follows –
- CreateHiddenTask.vbs, which creates a scheduled task to launch “keytool.exe” every day at 8:00 a.m.
- keytool.exe, which uses DLL side-loading to load jli.dll
- jli.dll, a malicious DLL that launches the Winos 4.0 malware encrypted and embedded within keytool.exe
“The deployed malware establishes persistence within the compromised system and initiates various reconnaissance operations,” the researchers said. “These include capturing screenshots, harvesting clipboard contents, and exfiltrating critical system metadata.”
The trojan also comes with various techniques to evade detection, including attempting to uninstall detected antivirus products and terminating network connections associated with security programs such as Kingsoft Antivirus, Huorong, or 360 Total Security to interfere with their regular functions.
“This exfiltrated information significantly elevates the risk of advanced cyber espionage, identity theft, and credential compromise, thereby posing a serious threat to both organizational infrastructure and individual privacy,” the researchers added.
