Massive Winos 4.0 Campaigns Target Taiwan
Summary:
Recent threat research by FortiGuard Labs has exposed massive phishing campaigns targeting Taiwan with the Winos 4.0 (ValleyRat) malware. Attributed to a subgroup of the Silver Fox APT, the threat actors leverage localized lures such as forged tax audit notifications, e-invoice downloads, and tax filing software installers to trick victims into executing malicious payloads. The infection chains are highly evasive, shifting from using malicious LNK files that download payloads to employing DLL sideloading via legitimate executables. A critical component of their attack relies on a Bring Your Own Vulnerable Driver (BYOVD) technique, specifically abusing a validly signed kernel-mode driver to escalate privileges and terminate a wide array of security products. Once deeply embedded, Winos 4.0 deploys additional plugins directly into the system's registry for memory-resident execution, enabling remote control, data theft, and widespread file encryption without leaving a significant footprint on the local disk.
Security Officer Comments:
This campaign highlights the growing sophistication and rapid evolution of evasion techniques used by APT groups, particularly the abuse of legitimate tools and drivers. While this specific campaign heavily targets Taiwan using local tax and invoicing themes, the underlying Tactics, Techniques, and Procedures (TTPs) are geographically agnostic and can be easily adapted to target organizations globally. The use of financial lures like invoices or tax documents is a universal threat vector that affects every industry sector. Furthermore, the adversary’s use of BYOVD attacks to actively blind Endpoint Detection and Response (EDR) and Antivirus (AV) solutions is a severe threat; if a vulnerable driver is successfully loaded, the malware can systematically terminate your security stack from the kernel level. Because Winos 4.0 also facilitates data theft and file encryption, an infection could quickly escalate into a full-blown ransomware or extortion incident. Organizations must recognize that traditional static domain blocking is insufficient here, as the attackers rapidly rotate their domains and abuse legitimate cloud services for payload delivery.
Suggested Corrections:
To defend against this threat, organizations should prioritize the implementation of Microsoft’s recommended Vulnerable Driver Blocklist through Windows Defender Application Control (WDAC) to prevent the loading of known exploitable drivers like wsftprm.sys. Security teams should also enforce strict application control policies to mitigate DLL sideloading by restricting the directories from which applications can load dynamic libraries. Given the attackers' reliance on phishing and cloud-hosted archives, enhancing email gateway protections to inspect compressed attachments and conducting routine security awareness training focused on financial and tax-themed lures is highly recommended. Additionally, defenders should configure endpoint monitoring to detect anomalous registry modifications, since the malware stores its plugins directly in the registry for fileless execution, and alert on any unauthorized attempts to disable or terminate critical security services. Finally, ensure that your EDR solutions are configured to block unauthorized UAC bypass attempts and monitor for the abuse of living-off-the-land binaries executing obfuscated download commands.
Link(s):
https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan
Recent threat research by FortiGuard Labs has exposed massive phishing campaigns targeting Taiwan with the Winos 4.0 (ValleyRat) malware. Attributed to a subgroup of the Silver Fox APT, the threat actors leverage localized lures such as forged tax audit notifications, e-invoice downloads, and tax filing software installers to trick victims into executing malicious payloads. The infection chains are highly evasive, shifting from using malicious LNK files that download payloads to employing DLL sideloading via legitimate executables. A critical component of their attack relies on a Bring Your Own Vulnerable Driver (BYOVD) technique, specifically abusing a validly signed kernel-mode driver to escalate privileges and terminate a wide array of security products. Once deeply embedded, Winos 4.0 deploys additional plugins directly into the system's registry for memory-resident execution, enabling remote control, data theft, and widespread file encryption without leaving a significant footprint on the local disk.
Security Officer Comments:
This campaign highlights the growing sophistication and rapid evolution of evasion techniques used by APT groups, particularly the abuse of legitimate tools and drivers. While this specific campaign heavily targets Taiwan using local tax and invoicing themes, the underlying Tactics, Techniques, and Procedures (TTPs) are geographically agnostic and can be easily adapted to target organizations globally. The use of financial lures like invoices or tax documents is a universal threat vector that affects every industry sector. Furthermore, the adversary’s use of BYOVD attacks to actively blind Endpoint Detection and Response (EDR) and Antivirus (AV) solutions is a severe threat; if a vulnerable driver is successfully loaded, the malware can systematically terminate your security stack from the kernel level. Because Winos 4.0 also facilitates data theft and file encryption, an infection could quickly escalate into a full-blown ransomware or extortion incident. Organizations must recognize that traditional static domain blocking is insufficient here, as the attackers rapidly rotate their domains and abuse legitimate cloud services for payload delivery.
Suggested Corrections:
To defend against this threat, organizations should prioritize the implementation of Microsoft’s recommended Vulnerable Driver Blocklist through Windows Defender Application Control (WDAC) to prevent the loading of known exploitable drivers like wsftprm.sys. Security teams should also enforce strict application control policies to mitigate DLL sideloading by restricting the directories from which applications can load dynamic libraries. Given the attackers' reliance on phishing and cloud-hosted archives, enhancing email gateway protections to inspect compressed attachments and conducting routine security awareness training focused on financial and tax-themed lures is highly recommended. Additionally, defenders should configure endpoint monitoring to detect anomalous registry modifications, since the malware stores its plugins directly in the registry for fileless execution, and alert on any unauthorized attempts to disable or terminate critical security services. Finally, ensure that your EDR solutions are configured to block unauthorized UAC bypass attempts and monitor for the abuse of living-off-the-land binaries executing obfuscated download commands.
Link(s):
https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan