A threat actor is targeting organizations in Taiwan in a sophisticated and evolving campaign to steal data for likely use in future attacks.
The attackers are delivering malware through phishing emails impersonating Taiwan’s National Taxation Bureau and other government entities, using themes related to taxes, pensions, and public services.
Convincing Phishing Lures
The emails contain a malicious zip file that launches a multistage infection chain when opened. One of the final payloads is HoldingHands (aka Gh0stBins), a remote access Trojan (RAT) capable of data exfiltration and surveillance, according to Fortinet, which has been tracking the campaign since January. In some instances, the adversary has used email content that includes a picture with a hyperlink that, when clicked, leads to a malware download on the victim system.
The embedded files in the zip file include a malicious dynamic link library called “dokan2.dll” that facilitates the deployment of HoldingHands. The malware stealthily decrypts and executes a second-stage payload hidden in a text file called dxpi.txt that, in turn, serves as a configuration file for the malware and executes installation and privilege escalation steps on a compromised machine. Another file embedded in the zip archive is MsgDb.dat, which implements multiple command-and-control (C2) tasks for the malware.
“The attack chain comprises numerous snippets of shellcode and loaders, making the attack flow complex,” Fortinet security researcher Pei Han Liao said in a blog post this week. “The purpose of these samples is to execute a malicious payload that accesses a C2 server to receive further instructions.”
Data that the adversary has been harvesting includes user information, IP address, computer name, and system-related information such as operating system and version, system architecture, CPU frequency, processor count, memory size, and registry values.
In the initial stages, the attacker used tax-themed phishing emails to distribute Winos 4.0, a malware toolkit with multiple components for enabling keylogging, screenshot capture, clipboard monitoring, and data exfiltration. In the subsequent months, the attacker has added HoldingHands and another data stealer called Gh0stCringe to the mix. Both these malware tools have capabilities that are similar to Winos 4.0 and support functions like keylogging, file theft, remote control, and the ability to deploy additional payloads.
Part of a Broader Trend
Campaigns like the one Fortinet has been tracking are part of a growing pattern of targeted cyberattacks in Asia, often tied to geopolitical tensions. In many of these attacks, threat actors — frequently suspected of being state-backed — have leveraged highly tailored phishing lures to infiltrate networks in strategic sectors. Earlier this year, Taiwan’s National Security Bureau (NSB) reported a near doubling, to 2.4 million, in the number of daily attacks on the Taiwanese government in 2024. Many of the attacks originated from China-backed groups and focused heavily on government and telecommunications organizations. More recently, Symantec reported Chinese threat actor Lotus Panda using custom malware to infect systems belonging to government organizations across much of Southeast Asia in 2024.
Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, described the ongoing campaign in Taiwan as well-planned and executed. “The fact that they’re using multiple malware variants — Winos 4.0, HoldingHands RAT, and Gh0stCringe — in coordinated waves tells us this is a sophisticated, well-resourced operation that’s playing the long game,” he said in an emailed statement. “What’s particularly concerning is how they’re using legitimate-looking zip files and multistage infection chains to slip past traditional email security that only checks attachments at the gateway.”
Such attacks highlight the need for organizations to implement capabilities for analyzing the behavior and intent behind links and attachments in emails, in real time, he added.
