Silver Fox APT Targets Taiwan with Complex Gh0stCringe and HoldingHands RAT Malware - The Hacker News

Silver Fox APT Targets Taiwan with Complex Gh0stCringe and HoldingHands RAT Malware Ravie LakshmananJun 17, 2025Malware / Email Security Cybersecurity researchers are warning of a new phishing campaign that's targeting users in Taiwan with malware families such as HoldingHands RAT and Gh0stCringe. The activity is part of a broader campaign that delivered the Winos 4.0 malware framework earlier this January by sending phishing messages impersonating Taiwan's National Taxation Bureau, Fortinet FortiGuard Labs said in a report shared with The Hacker News. The cybersecurity company said it identified additional malware samples through continuous monitoring and that it observed the same threat actor, referred to as Silver Fox APT, using malware-laced PDF documents or ZIP files distributed via phishing emails to deliver Gh0stCringe and a malware strain based on HoldingHands RAT. It's worth noting that both HoldingHands RAT (aka Gh0stBins) and Gh0stCringe are variants of a known remote access trojan called Gh0st RAT, which is widely used by Chinese hacking groups. The starting point of the attack is a phishing email that masquerades as messages from the government or business partners, employing lures related to taxes, invoices, and pensions to persuade recipients into opening the attachment. Alternate attack chains have been found to leverage an embedded image that, when clicked, downloads the malware. The PDF files, in turn, contain a link that redirects prospective targets to a download page hosting a ZIP archive. Present within the file are several legitimate executables, shellcode loaders, and encrypted shellcode. The multi-stage infection sequence entails the use of the shellcode loader to decrypt and execute the shellcode, which is nothing but DLL files sideloaded by the legitimate binaries using DLL side-loading techniques. Intermediate payloads deployed as part of the attack incorporate anti-VM and privilege escalation so as to ensure that the malware runs unimpeded on the compromised host. The attack culminates with the execution of "msgDb.dat," which implements command-and-control (C2) functions to collect user information and download additional modules to facilitate file management and remote desktop capabilities. Fortinet said it also discovered the threat actor propagating Gh0stCringe via PDF attachments in phishing emails that take users to document download HTM pages. "The attack chain comprises numerous snippets of shellcode and loaders, making the attack flow complex," the company said. "Across winos, HoldingHands, and Gh0stCringe, this threat group continuously evolves its malware and distribution strategies." Update According to a security researcher, who goes by the handle somedieyoungZZ, the Silver Fox group has also targeted organizations in Japan and Taiwan using digitally-signed fake salary revision notices. These executables, signed with stolen certificates, unpack COM-based loaders and deploy backdoors in memory to establish persistent remote access. "From leveraging a stolen digital certificate to delivering modular payloads, the entire setup is crafted to bypass conventional detection mechanisms," the researcher said. "The fact that the payload is decrypted at runtime adds an extra layer of friction for any form of static analysis." "We connected Winos 4.0 to HoldingHands based on overlaps in the way some of the attack chains are delivered – specifically, certain PDF documents used to deliver Winos 4.0 contain embedded links that are also present in PDFs associated with HoldingHands," Pei Han Liao, researcher with Fortinet's FortiGuard Labs, told The Hacker News. "These shared indicators, identified through static and behavioral analysis, suggest a potential relationship or reuse of infrastructure between the two campaigns." (The story was updated after publication to include a response from Fortinet.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, DLL side-loading, email security, Fortinet, Malware, Phishing, privilege escalation, Remote Access Trojans, Shellcode, Threat Intelligence Trending News Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths