A persistent malware campaign is targeting Microsoft Windows users in Taiwan. Disguised as correspondence from Taiwan’s National Taxation Bureau, the threat actors are deploying a phishing campaign laced with winos 4.0 malware.
Fortinet’s FortiGuard Labs traced the operation back to January 2025. Over the months that followed, the campaign evolved, adopting more sophisticated tools and techniques, most notably a variant of the HoldingHands remote access trojan (RAT).
Its objective is simple: establish stealthy, long-term access for further attacks. The method, however, is anything but.
The Hook: Official-Looking Emails
Initial infection starts with phishing emails purporting to come from government entities. These messages leverage urgent topics (tax inspections, pension updates, invoices) to startle recipients into downloading an attachment or clicking on a link.
One of these links, embedded in an HTML file, directed targets to the domain twszz[.]xin. It pretended to be a tax inspection portal that offered an account statement file. While it appeared benign, in reality, the link sparked a silent chain of events, including malware download, ZIP file extraction, and the execution of multiple payloads aimed at gaining control of the target’s machine.
From Email to Execution
By March, FortiGuard had identified additional phishing emails with embedded attachments. These dropped ZIP files contain a host of components: legitimate executables, encrypted shellcode, and dynamic-link libraries (DLLs) crafted to slip through the nets.
Key to this evasion is a side-loading tactic. A legitimate executable loads a malicious DLL (dokan2.dll), which decrypts and runs the payload (dxpi.txt). The process is layered, obscure, and difficult to reverse-engineer. In some variants, passwords for the ZIP archives were hidden on download pages, rendering the files inaccessible to researchers without access to those URLs.
The malware complicates forensic analysis by employing a combination of empty placeholder files, renamed DLLs, and encrypted binaries. Among the fake DLLs, one stands out: DwhsOqnbdrr.dll. Its name is a cipher, which, when decoded, becomes “ExitProcess,” a pointer to how the malware hijacks system calls to maintain control.
Privilege Escalation and Persistence
Once deployed, the malware checks the system’s physical memory. It recognizes that machines with less than 8GB of RAM are more than likely sandboxes or virtual machines and are quickly abandoned. On physical systems, the malware proceeds with privilege escalation, impersonating high-privilege accounts such as SYSTEM and TrustedInstaller, to gain unfettered access.
Persistence is ensured by dropping files into system directories and creating registry keys.
C2 and Modular Attacks
The core of the operation is msgDb.dat, the command-and-control (C2) agent based on HoldingHands. This component collects system information (IP address, hostname, OS details) and sends it to a remote server. Communication follows a strict binary format and includes regular heartbeat signals (periodic signals sent between devices or components to indicate normal operation) to maintain a live connection.
Upon receiving further instructions from the server, msgDb.dat downloads and executes additional modules. FortiGuard identified three: two for remote desktop access, one for file management. These use a consistent interface, initiated by calling a function named ModuleEntry.
The attacker’s toolkit is flexible. If the current module does not match the command from the server, msgDb.dat requests a new one and runs it. These modules carry identifiers such as jingjianban, a Chinese term meaning “lite version,” suggesting modular variants that are optimized for specific functions or environments.
Old Dog, New Tricks
This isn’t the group’s first rodeo. FortiGuard’s researchers believe the operation is linked to previous attacks involving winos and Gh0stCringe malware strains. However, the actors behind it continuously hone their methods, adding layers of obfuscation, adapting file structures, and tweaking privilege escalation routines.
One variant seen during analysis terminated itself if it detected security software such as Kaspersky (avp.exe) or if it was executed in the wrong context. Another spoofed the legitimate msimg32.dll used in applications like LINE and WeChat, executing only when loaded by one of these programs.
Breach, Persist, Exploit
What began as a localized phishing campaign is actually a carefully orchestrated and evolving threat. It uses familiar tools under new guises, blending deception with technical sophistication. Every attack stage is engineered for stealth, control, and persistence.
FortiGuard will continue to monitor the threat actor’s infrastructure and malware developments. In the meantime, organizations, particularly those in government and finance, are advised to review email security, endpoint defenses, and privilege escalation protections.
Security teams are urged to stay vigilant. The malware may change its face, but its intent remains the same: breach, persist, exploit.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.