Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations - The Hacker News

Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations Ravie LakshmananFeb 27, 2025Malware / Threat Intelligence A new campaign is targeting companies in Taiwan with malware known as Winos 4.0 as part of phishing emails masquerading as the country's National Taxation Bureau. The campaign, detected last month by Fortinet FortiGuard Labs, marks a departure from previous attack chains that have leveraged malicious game-related applications. "The sender claimed that the malicious file attached was a list of enterprises scheduled for tax inspection and asked the receiver to forward the information to their company's treasurer," security researcher Pei Han Liao said in a report shared with The Hacker News. The attachment mimics an official document from the Ministry of Finance, urging the recipient to download the list of enterprises scheduled for tax inspection. But in reality, the list is a ZIP file containing a malicious DLL ("lastbld2Base.dll") that lays the groundwork for the next attack stage, leading to the execution of shellcode that's responsible for downloading a Winos 4.0 module from a remote server ("206.238.221[.]60") for gathering sensitive data. The component, described as a login module, is capable of taking screenshots, logging keystrokes, altering clipboard content, monitoring connected USB devices, running shellcode, and permitting the execution of sensitive actions (e.g., cmd.exe) when security prompts from Kingsoft Security and Huorong are displayed. Fortinet said it also observed a second attack chain that downloads an online module that can capture screenshots of WeChat and online banks. It's worth noting that the intrusion set distributing the Winos 4.0 malware has been assigned the monikers Void Arachne and Silver Fox, with the malware also overlapping with another remote access trojan tracked as ValleyRAT. "They are both derived from the same source: Gh0st RAT, which was developed in China and open-sourced in 2008," Daniel dos Santos, Head of Security Research at Forescout's Vedere Labs, told The Hacker News. "Winos and ValleyRAT are variations of Gh0st RAT attributed to Silver Fox by different researchers at different points in time. Winos was a name commonly used in 2023 and 2024 while now ValleyRAT is more commonly used. The tool is constantly evolving, and it has both local Trojan/RAT capabilities as well as a command-and-control server." ValleyRAT, first identified in early 2023, has been recently observed using fake Chrome sites as a conduit to infect Chinese-speaking users. Similar drive-by download schemes have also been employed to deliver Gh0st RAT. Furthermore, Winos 4.0 attack chains have incorporated what's called a CleverSoar installer that's executed by means of an MSI installer package distributed as fake software or gaming-related applications. Also dropped alongside Winos 4.0 via CleverSoar is the open-source Nidhogg rootkit. "The CleverSoar installer [...] checks the user's language settings to verify if they are set to Chinese or Vietnamese," Rapid7 noted in late November 2024. "If the language is not recognized, the installer terminates, effectively preventing infection. This behavior strongly suggests that the threat actor is primarily targeting victims in these regions." The disclosure comes as the Silver Fox APT has been linked to a new campaign that leverages trojanized versions of Philips DICOM viewers to deploy ValleyRAT, which is then used to drop a keylogger, and a cryptocurrency miner on victim computers. Notably, the attacks have been found to use a vulnerable version of the TrueSight driver to disable antivirus software. "This campaign leverages trojanized DICOM viewers as lures to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain," Forescout said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, Cybercrime, cybersecurity, data breach, Malware, Phishing, Remote Access Trojan, Threat Intelligence Trending News Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Load More ▼ Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026