Summary:
A newly uncovered malware campaign leveraging Winos 4.0 is actively targeting organizations in Taiwan through phishing emails that impersonate Taiwan’s National Taxation Bureau. First observed by FortiGuard Labs in January 2025, this attack marks a shift in cybercriminal tactics, using government-themed social engineering to increase credibility and deceive victims. Previously distributed via gaming applications, Winos 4.0 is now delivered through phishing emails that claim to contain a list of companies selected for tax inspection. The emails urge recipients to download an attachment, which is actually a ZIP file containing malicious DLL files. Once executed, these files trigger the download of Winos 4.0 from a remote command-and-control server, initiating a series of stealthy and persistent cyber intrusions.

The malware operates covertly, embedding its payload within registry keys to evade traditional detection methods. Upon installation, Winos 4.0 carries out multiple malicious activities, including keylogging, screen capturing, clipboard monitoring, and disabling security protections. Its modular architecture enables it to maintain persistence and perform targeted surveillance. The MainThread module ensures the malware remains active, prevents system sleep, and disables security prompts, while the Screenshot module captures images of sensitive applications such as online banking and WeChat. Additionally, Keylog records user keystrokes and clipboard activity to steal credentials, and USB Monitoring tracks device insertions and removals, potentially facilitating data exfiltration. To further its stealth, Winos 4.0 includes anti-antivirus measures that disable security software and bypass User Account Control (UAC), making removal even more difficult.

Security Officer Comments:
Experts warn that this campaign effectively exploits human psychology by creating a sense of urgency and legitimacy. Jason Soroko, a senior fellow at Sectigo, describes the attack as a "clear shift in cybercrime," leveraging government impersonation and obfuscation to evade detection. He highlights that Winos 4.0 forces a re-examination of detection methodologies due to its ability to persist within registry keys. Similarly, J. Stephen Kowski, Field CTO at SlashNext, notes that phishing attacks like these manipulate users into downloading malicious files by mimicking official tax-related communications.

Suggested Corrections:
To mitigate risks, organizations must adopt multi-layered security measures. AI-powered email security tools can detect deception patterns before users interact with malicious emails. Employee training programs should enhance phishing awareness, helping staff recognize fraudulent messages. Blocking ZIP attachments in emails can prevent the execution of embedded malware, while managed file transfer systems requiring authentication can further limit exposure. As phishing tactics evolve, businesses must strengthen their defenses through advanced threat detection, security awareness initiatives, and strict email filtering policies to counteract sophisticated cyber threats.

Link(s):
https://www.infosecurity-magazine.com/news/winos-40-malware-targets-taiwan/