A series of targeted phishing campaigns have been observed in Taiwan that exploit local business processes to distribute Winos 4.0, also known as ValleyRat, along with a range of malicious plugins.
According to a report from Fortinet’s FortiGuard Labs, the campaigns use lures crafted to resemble legitimate government and business communications, including tax audit notifications, tax filing software installers, and cloud-based e-invoice download notices. Analysis of domain registration data indicates that the threat actors are using a rotating set of domains and cloud hosting services to deliver malware.
Over the past two months, researchers observed several delivery techniques. In one campaign, a tax-themed phishing email delivered a RAR archive named “taxIs_RX3001.rar,” which contained both a benign decoy document and a malicious LNK file. When executed, the shortcut file triggered a multi-stage infection chain designed to deploy the malware while avoiding detection. Another campaign distributed forged Ministry of Finance documents through phishing emails. In this case, attackers impersonated an official Taiwanese domain but redirected victims to a China-based cloud service hosting a compressed archive.
The report notes the threat actor has changed tactics from using LNK files as intermediate downloaders to distributing archives containing malicious DLL files. The files are sideloaded via legitimate applications to load shellcode, using the same vulnerable driver (wsftprm.sys) to gain kernel-level privileges. Both campaigns connect to the same command-and-control infrastructure, suggesting they are part of a coordinated operation attributed to the Silver Fox threat group.
After exploiting the vulnerable driver to obtain kernel privileges, the malware enters a monitoring loop that scans running processes against a hardcoded list of security tools, including Microsoft Defender, Trend Micro, Symantec, and Chinese security products such as HuoRong and 360. By terminating these processes, Winos 4.0 creates an environment in which it can persist, escalate privileges, and maintain remote access without interference.
The malware conceals its command-and-control address using Base64 encoding. Once it verifies the system version, it connects to its server to retrieve core components and additional plugins that enable file management, screen capture, remote control, and system administration. The components are stored directly in the Windows registry and loaded into memory without writing files to disk.