Malware News Massive Winos 4.0 Campaigns Target Taiwan

Khushal

Khushal

Level 11
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
523
2,756
969
Content source
https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan
FortiGuard Labs recently observed several targeted phishing campaigns in Taiwan that use themes designed to exploit local business processes. These campaigns disseminate Winos 4.0 (ValleyRat) and subsequent malicious plugins through weaponized attachments or embedded links. The lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads.

1771651324517.png


Massive Winos 4.0 Campaigns Target Taiwan | FortiGuard Labs

FortiGuard Labs analyzes Winos 4.0 (ValleyRat) campaigns targeting Taiwan, detailing phishing lures, DLL sideloading, BYOVD abuse, and evolving attacker infrastructure…
www.fortinet.com www.fortinet.com
Click to expand...
 
  • Like
Reactions: Halp2001, simmerskool, harlan4096 and 1 other person
What you quoted matches FortiGuard’s February 20, 2026 write-up on “Winos 4.0 (ValleyRat)” delivery via Taiwan tax/e-invoice themed phishing, and your screenshot is consistent with their “Campaign 1” example: an archive (RAR/7z) that contains a decoy document plus a malicious shortcut (.LNK) that looks like a document and launches a scripted download chain. ([fortinet.com](https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan))

Why this is effective (and dangerous)
  • A .LNK file can be given a “document” icon/name, so it looks harmless when Windows hides extensions.
  • When executed, the shortcut can run cmd.exe with obfuscated commands to download and run the next-stage payload (Fortinet specifically describes curl.exe being copied/renamed and used to fetch the payload). ([fortinet.com](https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan))
  • Fortinet also describes later stages involving DLL sideloading and a BYOVD technique using a vulnerable driver (“wsftprm.sys”), which is a common way attackers try to weaken endpoint protection. ([fortinet.com](https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan))

Practical takeaways for users (safe handling)
  • Do not open “tax/e-invoice/audit notice” archives from email/IM unless independently verified via a trusted channel.
  • In Windows Explorer, enable “File name extensions” so “taxIs_RX3001” can’t hide as a shortcut (you’ll see “.lnk” if it is one).
  • If you already extracted it, don’t double-click anything inside the archive. Uploading suspicious files to VirusTotal can help triage, but don’t upload anything containing sensitive tax/identity data.
  • If you executed it, disconnect the machine from the network, then run full scans with reputable EDR/AV, and collect logs before “cleaning” if this is an org environment.

Defender/IT hardening points this report reinforces
  • Block or strongly restrict shortcut files delivered via email/archives (many orgs treat inbound .LNK as high-risk).
  • Use Microsoft Defender ASR rules (or equivalent) to reduce “email/web-delivered execution” and suspicious child processes.
  • Keep Windows security features that mitigate driver abuse enabled where possible (e.g., vulnerable driver blocklist / Memory Integrity) because the report explicitly notes driver-abuse behavior. ([fortinet.com](https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan))
  • Don’t rely only on static domain blocking; Fortinet notes fast-rotating infrastructure and cloud hosting. ([fortinet.com](https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan))

If this is being discussed as an active incident (someone clicked), the safest next step on MalwareTips is to post in the malware removal/help section with relevant logs (Defender/EDR detections, Autoruns, scheduled tasks, and any outbound connection evidence) so experienced members can guide containment and cleanup without guesswork.

Sources
 
  • Like
Reactions: Sorrento
Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1566.001
Phishing: Spearphishing Attachment

T1059.003
Command and Scripting Interpreter: Windows Command Shell

T1105
Ingress Tool Transfer (via curl[.]exe renamed to url.exe)

T1548.002
Abuse Elevation Control Mechanism: Bypass UAC (via computerdefaults.exe and Debug Object Hijacking)

T1068
Exploitation for Privilege Escalation (BYOVD attack via wsftprm.sys)

T1562.001
Impair Defenses: Disable or Modify Tools

CVE Profile
NVD Score: N/A (BYOVD General Technique) CISA KEV Status: Inactive/Unknown for this specific payload.

Telemetry

Hashes (SHA256) 64ee7a2e6259286311c8ba1c7b6d30e1e52fe78befcfd1b71b291c788f3e3e6a
(Setup.exe)

156f31b37ee0d6e7f87cdc94dcd2d3b084b2e15da08bd8588e17d6bdc43159fe
(AISafeSDK64.dll).

IPs
47.76.86[.]151
154.91.64[.]246.

Domains
bqdrzbyq.cn
taxfnat.tw
njhwuyklw.com
twtaxgo.cn.

Registry Keys
Queries SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable.

Constraint
The payload structure suggests high modularity, as secondary plugins are stored directly in the registry for fileless execution without touching the disk.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocols for potential APT compromise and broadcast internal risk advisories regarding Taiwanese tax-themed and e-invoice lures.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM for anomalous process creation events involving cmd[.]exe executing from an LNK file, specifically monitoring for curl[.]exe being copied to %public%\501\url.exe.

Command
Hunt for outbound network connections to 47.76.86[.]151 and 154.91.64[.]246.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints exhibiting wsftprm.sys driver loads or unexpected execution of computerdefaults.exe.

Command
Forensically acquire systems where security services (e.g., MsMpEng.exe, 360tray.exe, SecurityHealthService.exe) have been unexpectedly terminated.

RECOVER (RC) – Restoration & Trust

Command
Rebuild infected hosts entirely from known-good gold images due to the kernel-level compromise established by the malicious driver.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Enforce Microsoft's Vulnerable Driver Blocklist strictly via Windows Defender Application Control (WDAC).

Command
Block external inbound delivery of RAR/7z compressed archives at the email gateway.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions. (Note: Due to driver-level compromise, a full OS reinstall is highly recommended).

Hardening & References

Baseline
CIS Benchmarks.

Framework
NIST CSF 2.0 / SP 800-61r3.

Style
Ensure Memory Integrity (HVCI) and the Microsoft Vulnerable Driver Blocklist are toggled ON in Windows Security settings. Limit the execution of script interpreters from User profile directories.

Source

FortiGuard Labs Threat Research
Click to expand...
 
  • Like
Reactions: simmerskool and harlan4096
The campaign in Taiwan shows the same pattern we’ve seen elsewhere: malware disguises itself as everyday paperwork and exploits our trust in routine. It’s not just a local issue—it’s a global reminder that routine is the attacker’s favorite disguise. 🔍🌍⚠️
 

You may also like...