A new phishing campaign is targeting users in Taiwan, delivering advanced malware strains including HoldingHands RAT and Gh0stCringe.
The operation, attributed to the threat actor known as Silver Fox APT, is part of a broader malicious campaign first spotted in January, involving the Winos 4.0 malware framework.
According to a recent report by Fortinet FortiGuard Labs, the campaign leverages phishing emails disguised as official communications from Taiwan's National Taxation Bureau and other government entities. The emails contain either PDF documents or ZIP archives embedded with malicious code.
Both HoldingHands RAT (aka Gh0stBins) and Gh0stCringe are variants of the notorious Gh0st RAT, a remote access trojan widely linked to Chinese hacking groups. Victims are tricked into opening attachments under the pretense of tax notifications, invoices, or pension documents.
The multi-stage infection chain uses a variety of techniques, including DLL side-loading, to execute encrypted shellcode and establish a foothold on the victim’s system. Fortinet's analysis reveals the malware employs anti-virtual machine (anti-VM) features and privilege escalation tactics to avoid detection.
Ultimately, the attack installs a malicious component named msgDb.dat, which connects to remote servers to exfiltrate user data, execute commands, and deploy additional modules for remote desktop access and file management.
Fortinet also noted the use of HTM-based phishing lures, which direct victims to download the malware via seemingly legitimate document portals.
