A recent surge in cyberattacks utilizing the Winos4.0 malware framework has been identified as targeting organizations in Taiwan through deceptive PDF attachments disguised as tax inspection alerts, as per a January 2025 threat analysis by FortiGuard Labs.
This attack campaign employs sophisticated multi-stage payload delivery mechanisms, anti-forensic techniques, and automated security evasion mechanisms in order to establish persistent access to victim networks while avoiding detection.
The modus operandi of this phishing campaign starts with the distribution of phishing emails masquerading as communications from Taiwan’s National Taxation Bureau, purporting to contain a list of businesses set for tax audits. These emails lure recipients to download a mal icious ZIP archive attached to a PDF document posing as an official Ministry of Finance memorandum.
Upon analysis, it was discovered that the PDF document (identified as PDF/Agent.A6DC!tr.dldr) includes socially engineered text instructing victims to extract and run the “20250109.exe” loader from the attached archive. FortiGuard researchers note that this marks a strategic change from previous distribution methods of Winos4.0 observed in November 2024, which relied on compromised gaming applications.
The strategic use of tax-themed decoys during fiscal year-end periods boosts click-through rates among corporate finance teams, specifically treasurers mentioned in the phishing content. This tactic aims to increase the chances of successful infiltration.
After the execution of the loader, a three-stage process is initiated. The first stage involves the bogus execution of the “ApowerREC.exe” file which triggers the import of “lastbld2Base.dll”, decrypting embedded shellcode containing C2 server configurations (IP 9010[.]360sdgg[.]com) and modular plugin parameters.
Subsequent stages involve anti-analysis countermeasures that stall automated analysis systems, registry-based payload storage, and the establishment of threads for lateral movement and data harvesting. The malware also creates mutex objects to prevent redundant infections and logs keylogged data to specific directories on the infected system.
FortiGuard’s incident response team recommends various mitigation strategies such as enabling Content Disarm & Reconstruction (CDR) on email gateways, monitoring registry modifications for UAC bypass attempts, and deploying behavioral analysis tools to detect anomalies in system wake events.
Fortinet’s anti-malware suite has updated its threat detection capabilities to block associated indicators related to this campaign. Additionally, IP reputation services have been engaged to blacklist confirmed C2 endpoints used by the attackers.
While the attribution of these attacks remains ambiguous, the targeting of Taiwanese fiscal systems and the use of Simplified Chinese annotations in USB device logs suggest potential ties to advanced persistent threat groups. The infrastructure utilized by the malware overlaps with domains previously associated with gaming malware, hinting at the reuse of operational resources across various campaigns.
Organizations are advised to prioritize cybersecurity training modules focused on phishing identification and implement application allowlisting for executable files. With Winos4.0 continuously evolving its evasion toolkit, it becomes imperative for organizations to adopt multi-layered defenses combining endpoint detection and network traffic analysis to counter these highly targeted attacks effectively.
As cyber threats continue to evolve, it is crucial for organizations to stay vigilant and proactively enhance their cybersecurity posture to safeguard against such sophisticated attacks.