Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attacks
Severity Level: High

In January 2025, FortiGuard Labs observed Winos 4.0 attacks targeting users in Taiwan. In February, it became clear the actor had changed malware families and expanded operations. What first appeared isolated was part of a broader campaign that shifted from China to Taiwan, then Japan, and most recently Malaysia.

Figure 2: Attack campaign in 2025

Threat Hunting

The campaign relied on phishing emails with PDFs that contained embedded malicious links. These files masqueraded as official documents from the Ministry of Finance and included numerous links in addition to the one that delivered Winos 4.0. The following image illustrates the links found in a phishing PDF file used in the campaign.

Figure 4: Explanation of each part of a Tencent Cloud link

With these IDs, we obtained more related PDF files, including the ones distributing HoldingHands. In addition to mimicking official documents from the Ministry of Finance, the phishing lure in the newly discovered PDF files can also be an official document from other government departments or a purchase order.

In this phase, the malware is delivered via a custom domain link, while cloud storage links were used in old PDF files. The domains share a common naming pattern: the second-level domain includes tw, which is the abbreviation for Taiwan. The links refer to webpages hosting the latest malware, which complicates analysis as the download link or necessary information, such as the decompression password, may be taken down before analysts retrieve the payload. However, this can also cause information leakage if the hacker is careless. Here is an example that helped us identify a new attack targeting Japan.

Figure 5: The PDF targeting Taiwan shared a link with an attack targeting Japan

One PDF, posing as a tax regulation draft for Taiwan, redirected to a Japanese-language page, where victims were tricked into downloading a ZIP that delivered the HoldingHands payload. The presence of ‘tw’ in the download link, twsww[.]xin/download[.]html, increases confidence that the attack is targeting Taiwan. Despite this, the link leads to a webpage written in Japanese that asks the user to download the latest file. The ZIP file downloaded from the Japanese page contains an EXE file that delivers the HoldingHands payload. The EXE embeds all necessary files, which are dropped to execute the attack flow, similar to the previous attack.

The C2 IP address is 156[.]251[.]17[.]9. The IP address is the same as the one used by the HoldingHands variant that is expected to be downloaded from the link in the PDF. This strengthens the connection between the attacks targeting Taiwan and Japan. The EXE carries a legitimate digital signature to evade detection and contains debug paths pointing to BackDoor.pdb, further linking it to HoldingHands development. Here is the debug directory:

Figure 6: The digital signature

Figure 7: The phishing Word document

Figure 8: The script on the download page

Figure 9: The script on the download page targeting Taiwan

Figure 10: The attached HTML file

Figure 11: The phishing Excel document

Ongoing Attacks (Malaysia)

More recent attacks have shifted to Malaysia. Analysts connected these campaigns after finding that twczb[.]com — a domain previously associated with Taiwan-focused phishing — resolved to the same IP address used in the Malaysia-based activity.

Figure 12: The domains resolve to the same IP address

Figure 13: The attack flow of the previous variant. Only the highlighted part remains in this variant

Figure 14: The current attack flow

Technical Deep Dive (dll/dat chain)

dokan2.dll

dokan2.dll functions as a shellcode loader for sw.dat. It is loaded via Dokumen audit cukai dan sampel bahan.exe – a social engineering lure that masquerades as a tax audit document to convince victims to run it. dokan2.dll is originally a library from the open-source project Dokany. In this case, the threat actor crafted a malicious DLL with the same name and leveraged Dokany’s control program (Dokumen audit cukai dan sampel bahan.exe) to load the malicious dokan2.dll

sw.dat

sw.dat sets up the environment for the malware by creating necessary files and escalating privilege. It retains functions used in the previous variant, such as anti-VM, which checks physically installed RAM, and privilege escalation, which impersonates the TrustedInstaller service’s thread to obtain the highest privilege. The remaining installation process drops the following files to C:\Windows\System32:

In addition, it enumerates active processes against a list of security products to identify which defenses are running on the host:

If any process related to Norton and Avast is found, it drops wkscli.dll, which can be side-loaded by many Windows processes. However, wkscli.dll doesn’t have any noticeable behavior in this attack. After checking the processes related to Norton and Avast, it checks the avp.exe and shuts down if any listed anti-virus process is found. If no anti-virus processes are found, it terminates the Task Scheduler. The Task Scheduler is a Windows service hosted by svchost.exe that allows users to control when specific operations or processes are run. The Task Scheduler’s recovery setting is configured to restart the service one minute after it fails by default.

When the Task Scheduler is restarted, svchost.exe is executed and loads the malicious TimeBrokerClient.dll. This trigger mechanism does not require the direct launch of any process, making behavior-based detection more challenging.

TimeBrokerClient.dll

When TimeBrokerClient.dll is loaded, it first checks the name of the process that loaded it. It calculates the sum of ASCII values in the process name and continues only when it equals 0x47A, which is the expected result when the process is svchost.exe. After this, it calls the VirtualAlloc function to allocate memory for the encrypted data in msvchost.dat. The virtual address of the VirtualAlloc function is calculated by adding the RVA stored in svchost.ini to the image base of kernel32.dll, which it retrieves by calling the GetModuleHandleA function. The call fails if the analyst overlooks the svchost.ini file.

Furthermore, the filenames svchost.ini and msvchost.dat are generated by combining the name of the loading process (svchost expected) with the remaining parts of the filename. This hinders the analysis if the trigger mechanism is not well understood. The process name also works as the decryption key for the data in msvchost.dat, which is yet another anti-analysis technique. The data is decrypted into shellcode and executed in the memory.

msvchost.dat

In this stage, the data stored in system.dat is decrypted to retrieve the HoldingHands payload. It first checks the command line of the current process and only continues when the command line is:

svchost.exe is a system process that hosts multiple services. The arguments determine which service to start. Therefore, the command line is used by the msvchost.dat to ensure that the code is executed in the expected way. It repeats the anti-virus process checks performed earlier by sw.dat.

Figure 17: The instance of svchost that hosts Task Scheduler

Because the msvchost.dat shellcode is triggered indirectly via Task Scheduler, it runs in a separate session from the user, requiring additional steps to regain user-level access. To execute the HoldingHands payload at the user level, it retrieves the list of all terminal sessions by calling the WTSEnumerateSessions function. It then searches for an active session, indicating a logged-on user. It then duplicates a logged-on user’s access token, allowing the shellcode to impersonate the user’s security context.

It also retrieves the logged-on user’s environment variables, which are then passed to the CreateProcessAsUserW function to launch taskhostw.exe, where the decrypted data of system.dat is injected. Finally, the shellcode checks every five seconds to determine whether taskhostw.exe is still running, and injects the payload into a new instance if taskhostw.exe is no longer alive.

HoldingHands Payload

The HoldingHands payload remains essentially unchanged from the previous attack. The key addition is a new C2 task that updates the server IP address via registry entry, enabling attackers to shift infrastructure without redeploying malware. The most notable change is that the payload supports a new C2 task to update the server IP address. The command for the task is 0x15. Below is the registry key and value for IP update. The registry key for configuration is still HKEY_CURRENT_USER\SOFTWARE\HHClient, which was also observed in previous attacks.
 

Additionally, the command to terminate the payload has been changed from 0x15 to 0x17.

Conclusion

Threat actors continue to rely on phishing lures and layered evasion to deliver malware while obscuring their activity. Yet those same tactics provide valuable clues that link campaigns across borders. By following infrastructure, code reuse, and behavioral patterns, FortiGuard Labs has connected attacks spanning China, Taiwan, Japan, and now Malaysia and identified the latest HoldingHands variant in the process.

FortiGuard will continue to monitor these attack campaigns and provide appropriate protection as required.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

XML/Agent.EFA9!tr
W64/ShellcodeRunner.ARG!tr
W64/Agent.BDN!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

FortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing protection provided by FortiSandbox embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions provides advanced protection against both known and unknown phishing attempts.

The FortiGuard CDR (Content Disarm and Reconstruction) service, which runs on both FortiGate and FortiMail, can disarm malicious macros in documents.

We also suggest that organizations go through Fortinet’s free NSE training module: FCF Fortinet Certified Fundamentals. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Domain

zxp0010w.vip
gjqygs.cn
zcqiyess.vip
jpjpz1.cc
jppjp.vip
jpjpz1.top

IP

206.238.199.22
206.238.221.244
206.238.199.22
154.91.64.45
156.251.17.12
206.238.221.182
38.60.203.110

Sha256

c138ff7d0b46a657c3a327f4eb266866957b4117c0507507ba81aaeb42cdefa9
03e1cdca2a9e08efa8448e20b50dc63fdbea0e850de25c3a8e04b03e743b983d
2b1719108ec52e5dea20169a225b7d383ad450195a5e6274315c79874f448caa
dc45981ff705b641434ff959de5f8d4c12341eaeda42d278bd4e46628df94ac5
0db506d018413268e441a34e6e134c9f5a33ceea338fc323d231de966401bb2c
031c916b599e17d8cfa13089bddafc2436be8522f0c9e479c7d76ba3010bbd18
c6095912671a201dad86d101e4fe619319cc22b10b4e8d74c3cd655b2175364c
03e1cdca2a9e08efa8448e20b50dc63fdbea0e850de25c3a8e04b03e743b983d
2b1719108ec52e5dea20169a225b7d383ad450195a5e6274315c79874f448caa
dc45981ff705b641434ff959de5f8d4c12341eaeda42d278bd4e46628df94ac5
804dc39c1f928964a5c02d129da72c836accf19b8f6d8dc69fc853ce5f65b4f3
1c4bc67ae4af505f58bd11399d45e196fc17cc5dd32ad1d8e6836832d59df6e6
fb9c9ed91fc70f862876bd77314d3b2275069ca7c4db045e5972e726a3e8e04c
8d25da6459c427ad658ff400e1184084db1789a7abff9b70ca85cf57f4320283