Listen to this Post
Rising Threat Targets Taiwanese Users with Advanced Tactics
A new wave of cyberattacks has taken aim at users in Taiwan, deploying increasingly sophisticated phishing techniques and custom malware strains. Security researchers have uncovered a targeted campaign that began in January 2025, impersonating Taiwan’s National Taxation Bureau through convincing emails and malicious file downloads. The operation is notable not only for its strategic social engineering but also for the depth of its technical complexity, featuring malware such as Winos 4.0, HoldingHands RAT, and Gh0stCringe. These tools, operating in chained stages, are designed to maintain long-term access to compromised systems, evade detection by antivirus tools, and collect sensitive data.
Coordinated Cyber Espionage Campaign Unfolds in Taiwan
A highly coordinated cyberattack has emerged in Taiwan, leveraging government-themed phishing emails to deliver malware via deceptive download links and ZIP archives. The malicious emails, disguised as official communication from the Taiwanese National Taxation Bureau, contain links that trigger multi-stage infection chains upon interaction. The threat actors use a sophisticated payload deployment method involving legitimate executables for side-loading, which helps them bypass traditional antivirus and endpoint detection solutions.
The malware toolkit employed includes Winos 4.0, known for establishing persistence and operating under the radar, and HoldingHands RAT, a remote access trojan enabling long-term surveillance and control. Another malware variant observed in this operation is Gh0stCringe, which adds further capabilities such as keylogging, file theft, and command execution.
One standout feature of this campaign is the use of encoded Windows API calls within filenames, such as DwhsOqnbdrr.dll, which deciphers to the Windows function ExitProcess. These filenames are decrypted in memory using components like Dokan2.dll, which also modifies the Import Address Table (IAT) dynamically and executes shellcode without leaving obvious traces. This obfuscation tactic defeats static string-based detection and many modern endpoint detection and response (EDR) tools.
Security researchers have highlighted the use of password-protected ZIP files, often containing seemingly harmless documents or installer links, as a critical part of the infection vector. This extra layer of obfuscation slows down security analysis and helps the malicious payloads bypass automatic scanning systems.
Although the current operation appears focused on Taiwan, the strategic nature of the attack and the use of evolving tools signal a larger, global threat. Cybersecurity experts warn that such campaigns can easily be adapted for use in other regions by swapping out language and visual elements in phishing emails.
Despite some antivirus solutions catching parts of the malware chain, researchers stress that layered defenses, employee awareness training, and active threat intelligence integration are vital to stopping attacks of this nature.
What Undercode Say:
Escalation of Cyber Threats with Targeted Social Engineering
This campaign represents a clear evolution in how phishing attacks are designed and deployed. Unlike traditional spam or low-effort phishing, this operation is rooted in social trust exploitation. By mimicking Taiwan’s National Taxation Bureau, the attackers tap into a reliable source of anxiety and urgency: tax season communications. This tactic significantly boosts the chance of engagement from unsuspecting recipients.
Custom Malware and Evasion Strategies
The malware used here, particularly Winos 4.0 and HoldingHands, isn’t new, but it has been repackaged and chained in innovative ways. The use of legitimate Windows executables for DLL side-loading, along with filename-based obfuscation of API calls, demonstrates a deep understanding of Windows internals and antivirus evasion. Encoding API names into filenames, and then dynamically decoding them in memory, allows the attackers to evade most static detection and even many dynamic heuristic-based scanners.
Multi-Stage Infection Chains for Long-Term Control
The attackers aren’t just looking for quick wins. The chain-like deployment of malware, including keyloggers, file managers, and RATs, signals an intent to establish long-term access and control. This is consistent with tactics used in cyberespionage, where maintaining persistence is critical. Once inside, these tools can exfiltrate data over extended periods, launch further lateral movement within a network, or even be used to deliver ransomware in a later phase.
Password-Protected ZIPs as a Tactic
Password-protected ZIP archives are becoming a favored technique in phishing campaigns. These files are difficult for automated scanners to unpack, especially if the password is delivered in a separate email or hardcoded in scripts. This step forces human interaction, which lowers the defense capabilities of automated email filtering systems. When combined with believable document names and visual branding, these files easily pass for legitimate correspondence.
Implications Beyond Taiwan
Although the phishing campaign currently targets Taiwan, it’s important to understand this as a test run for broader campaigns. Once proven effective, such malware kits and phishing frameworks are often commercialized or repurposed for global targets. Language packs and visual themes are all that need to change to aim these same tools at users in the US, EU, or South America.
Defensive Recommendations
Security professionals must now think beyond signature-based detection. Defensive strategies should include:
Behavior-based anomaly detection
Memory scanning for unusual IAT behavior
Frequent security awareness campaigns
Real-time threat intelligence feeds
Zero-trust email gateways
Relying on traditional antivirus software alone is not enough. The complexity of this campaign shows that defense in depth is now non-negotiable for any organization or government agency handling sensitive data.
🔍 Fact Checker Results:
✅ This campaign did start in January 2025, as reported by FortiGuard Labs.
✅ Winos 4.0 and HoldingHands are confirmed to be used in the malware chain.
✅ API encoding in filenames is a real tactic seen in this operation.
📊 Prediction:
🌐 Expect this malware strategy to expand to other countries under different themes, such as banking or healthcare.
🔒 Organizations that fail to implement layered security will remain vulnerable to these advanced phishing threats.
🧠 Cybersecurity education and simulated phishing tests will become essential tools in protecting end users.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
