Cybercriminals are ramping up their attacks on businesses in Taiwan, using fake emails disguised as official messages from the country’s National Taxation Bureau. The latest campaign, discovered by Fortinet FortiGuard Labs, involves a dangerous strain of malware known as Winos 4.0, delivered through phishing emails designed to trick recipients into downloading a malicious attachment.
Phishing Emails Masquerade as Tax Notices
Hackers behind this campaign are exploiting one of the oldest tricks in the book—posing as an authority figure to gain trust. The emails claim to contain a list of businesses scheduled for tax inspection and urge recipients to forward the information to their company’s treasurer. Attached is a ZIP file that appears to be an official document from Taiwan’s Ministry of Finance.
But in reality, opening this file sets off a chain reaction. Inside, a malicious DLL file (“lastbld2Base.dll”) initiates the attack, executing shellcode that fetches Winos 4.0 from a remote server. Once installed, the malware can:
- Take screenshots of the victim’s screen
- Log keystrokes to steal sensitive information
- Modify clipboard content to manipulate copied text
- Monitor USB devices connected to the system
- Execute commands when security prompts appear from antivirus programs like Kingsoft Security and Huorong
Second Attack Wave Targets WeChat and Online Banking
Fortinet researchers also uncovered a second attack method linked to the same campaign. This variation involves an online module that specifically captures screenshots of WeChat conversations and online banking portals.
This suggests that the attackers are not just after corporate data but are also trying to intercept financial transactions, possibly for fraud or espionage. The level of sophistication in these attacks indicates a well-resourced group with clear objectives.
Who’s Behind the Attack?
The Winos 4.0 malware has been attributed to a threat group known by multiple names, including Void Arachne and Silver Fox. Security experts have linked this malware to another well-known remote access trojan (RAT) called ValleyRAT, both of which originate from Gh0st RAT—a tool developed in China and open-sourced in 2008.
Daniel dos Santos, Head of Security Research at Forescout’s Vedere Labs, explained that these malware families have been evolving over the years. “Winos and ValleyRAT are essentially different flavors of Gh0st RAT, adapted by attackers for their ongoing operations. The tool is constantly being updated, making it harder to detect and block,” he noted.
CleverSoar Installer and Region-Specific Targeting
The attack doesn’t stop with phishing emails. Some variations of Winos 4.0 have been found using an installer called CleverSoar, which is delivered via fake software downloads or gaming applications.
What’s particularly interesting is how the malware selects its victims. Researchers found that the CleverSoar installer checks the language settings of the victim’s computer before proceeding. If the system is set to Chinese or Vietnamese, the malware installs itself. If not, it shuts down.
This targeted approach suggests that the hackers behind this campaign are specifically going after Chinese-speaking and Vietnamese-speaking users, possibly indicating a geopolitical motive or a focus on certain business sectors.
New Silver Fox Attack Uses Medical Software as a Backdoor
Adding another layer to the threat, the Silver Fox group has also been linked to an attack involving trojanized medical software. Security firm Forescout reported that the group has been using altered versions of Philips DICOM viewers—software commonly used in medical imaging—to spread ValleyRAT.
Once installed, this malware opens the door for further infections, including a keylogger that captures user activity and credentials, and a cryptocurrency miner that hijacks the victim’s computer to generate digital currency.
To make matters worse, attackers are using a known vulnerability in the TrueSight driver to disable antivirus programs, leaving infected systems completely exposed.
What’s Next?
With these threats becoming increasingly sophisticated, businesses in Taiwan—and beyond—need to stay on high alert. The use of phishing emails, region-specific malware targeting, and the repurposing of legitimate software for cyberattacks shows that these hackers are adapting their methods constantly.
The best defense?
- Verify email sources: Always double-check messages claiming to be from tax authorities or government agencies.
- Be cautious with attachments: Even if an email looks legitimate, avoid opening ZIP files from unknown sources.
- Update security tools: Keeping antivirus software and firewalls up to date can help block known threats.
- Monitor financial transactions: Businesses should implement extra layers of security for online banking and corporate financial data.
Taiwanese companies are facing an escalating cyber threat, and vigilance is more crucial than ever. As cybercriminals refine their tactics, staying ahead of the game will require stronger security measures and increased awareness.
