Fortinet’s FortiGuard Labs recently unveiled the details of a sophisticated malware campaign targeting businesses in Taiwan. The discovery of this malicious operation occurred in January 2025, highlighting the deployment of Winos 4.0, an advanced malware framework designed to steal sensitive data for nefarious purposes. The severity of this attack was significant, utilizing a multi-stage infection process to infiltrate systems and compromise information.
The primary target of this malware campaign was Microsoft Windows platforms, with the initial entry point being a carefully crafted phishing email posing as Taiwan’s National Taxation Bureau. The email enticed recipients by claiming to contain a list of companies set for tax inspections, prompting them to forward the information to their financial departments. Disguised as an official document from the Ministry of Finance, the email attachment contained a malicious DLL, setting the stage for the subsequent attack phases.
The attack unfolded through the execution of executable and dynamic link library (DLL) files within a ZIP archive. The sequence of files included 20250109.exe, ApowerREC.exe, and lastbld2Base.dll, each playing a specific role in the malware’s operation. Researchers detailed how the malicious actions were orchestrated, with the fake ApowerREC.exe calling functions from lastbld2Base.dll to decrypt and execute shellcode containing critical configuration data.
This shellcode facilitated the establishment of a connection with a command-and-control (C2) server, enabling the malware to download additional encrypted components like the core Winos 4.0 module. The injected features included permission escalation, anti-sandbox techniques, and process window hiding to evade detection and analysis. The malware stored encrypted data within the system’s registry for later decryption and execution, further emphasizing its stealthy and persistent nature.
The module executed various malicious tasks to maintain control over infected systems, such as establishing persistence, bypassing User Account Control (UAC), collecting system information, and disabling security features like screen savers. Additionally, the malware actively surveilled user activities by capturing screenshots, logging keystrokes and clipboard contents, and manipulating network connections to evade security measures.
Protection against advanced threats like Winos 4.0 requires heightened vigilance when dealing with suspicious emails, refraining from opening compressed files attached to unsolicited emails, and enabling real-time scanning to detect and block threats proactively. As highlighted by industry experts, a multi-layered defense strategy that combines user education with advanced threat detection technologies is crucial in thwarting sophisticated social engineering attempts before they reach vulnerable endpoints.
In conclusion, the discovery of the Winos 4.0 malware campaign targeting Taiwanese businesses underscores the evolving threat landscape faced by organizations worldwide. By understanding the attack vectors and implementing robust cybersecurity measures, businesses can safeguard their systems and data against sophisticated malware operations seeking to exploit vulnerabilities for malicious gain.