Silver Fox extends Winos 4.0 operations to Japan & Malaysia via “HoldingHands” RAT

NEWS

Introduction: what changed

Fortinet has linked a fresh wave of phishing-led intrusions to the Silver Fox (aka SwimSnake / Void Arachne / UTG-Q-1000) cybercrime cluster. The actor, previously focused on China and Taiwan, is now actively targeting Japan and Malaysia, delivering HoldingHands (aka Gh0stBins) alongside the Winos 4.0 (ValleyRAT) family. Lures impersonate Ministries of Finance and other agencies, using PDF attachments that contain embedded download links.

In brief

  • Scope: Pivot from China/Taiwan to Japan & Malaysia; sustained activity through August–October 2025.
  • Delivery: Tax/government-themed PDFs → staging pages → ZIP/EXE droppers; SEO poisoning also observed in related campaigns.
  • Payloads: HoldingHands RAT and Winos 4.0 (ValleyRAT) with modular plugins for surveillance, data theft, and remote control.
  • Defense evasion: Task Scheduler–based sideloading and TrustedInstaller impersonation; historic BYOVD driver abuse to kill EDR.

Context / history / connections

Fortinet first documented Winos 4.0 phishing against Taiwan’s National Taxation Bureau in Jan–Mar 2025, later tying related infrastructure and code reuse to Japan and, most recently, Malaysia. The same ecosystem has used SEO-poisoned fake software sites (e.g., Chrome, Telegram, WPS Office, DeepSeek) to spread Winos modules.

Check Point independently attributed a May–Aug 2025 campaign to Silver Fox that abused a Microsoft-signed vulnerable driver (amsdk.sys) from WatchDog Anti-malware to terminate PP/PPL-protected processes and deliver ValleyRAT/Winos—a notable demonstration of BYOVD at scale.

Technical analysis / details of the campaign

Initial access & delivery

  • Email lures: PDFs masquerading as finance/tax drafts with multiple embedded links (often to Tencent Cloud IDs), leading to localized staging pages (JP/ZH) that host the payload.
  • Alternate vector: SEO-poisoned look-alike software portals using chained JSON-driven redirectors (e.g., nice.js) to drop trojanized installers.

Execution & persistence

  • Sideload chain: An EXE (e.g., faux “excise audit” doc) sideloads dokan2.dll, which drops a DLL/DAT set into C:\Windows\System32\ (TimeBrokerClient.dll → renamed to BrokerClientCallback.dll; msvchost.dat, svchost.ini, system.dat, optional wkscli.dll).
  • Scheduler trigger: Malware kills Task Scheduler so Windows auto-restarts it; when svchost.exe relaunches the service, it loads the malicious TimeBrokerClient.dll, continuing the chain without a direct process launch, frustrating behavior-only detectors.
  • Privilege escalation: Shellcode elevates by impersonating TrustedInstaller, then decrypts and launches HoldingHands; includes anti-VM checks and AV process enumeration/termination (Avast, Norton, Kaspersky).

C2 & tasking

  • Observed C2 examples include 156.251.17[.]9; HoldingHands periodically beacons and supports new registry-based C2 reconfiguration (HKCU\SOFTWARE\HHClient, value AdrrStrChar) so operators can swap servers without redeploying malware.

Related activity (HR/fintech lures in China)

  • Operation “Silk Lure”: spear-phishing HR teams with .LNK drops that schedule keytool.exe daily and DLL-sideload jli.dll to invoke Winos 4.0; features AV-uninstall/connection-kill routines and comprehensive host fingerprinting.

Historic EDR kill (BYOVD)

  • Silver Fox previously used Microsoft-signed WatchDog driver amsdk.sys and a legacy Zemana driver in a dual-driver loader to terminate protected AV/EDR before fetching ValleyRAT; after partial vendor fixes, actors flipped a single unsigned-byte in the signature timestamp to keep the driver validly signed while bypassing hash blocklists.

Practical consequences / risks

  • Stealthy persistence that hides behind Windows services and signed components can evade EDR heuristics for long dwell time.
  • Rapid infrastructure agility (registry-driven C2 switching) complicates takedowns and IR.
  • Targeting expansion to Japan/Malaysia indicates broader regional intelligence collection and potential fraud/theft operations.

Operational recommendations / what to do next

  1. Block & hunt
    • Block example indicators (156.251.17[.]9), and hunt for dropped files/paths: C:\Windows\System32\TimeBrokerClient.dll, BrokerClientCallback.dll, msvchost.dat, svchost.ini; look for Task Scheduler restarts followed by svchost.exe DLL load events.
    • Monitor for HKCU\SOFTWARE\HHClient and value AdrrStrChar changes.
  2. Hardening
    • Enforce application allow-listing and driver blocklists; extend beyond Microsoft’s default list with community feeds, and monitor kernel-mode driver loads for WatchDog/Zemana lineages.
    • Disable scriptable Office macros for external docs; detonate PDFs with external links in sandbox.
  3. Detection logic (MITRE ATT&CK)
    • T1566.001 (phishing attachments), T1059 (PowerShell in LNK chains), T1574.002 (DLL search order hijack), T1547.001 (scheduled tasks), T1068/T1134 (priv-esc/impersonation), T1562.001 (defense evasion—disable security tools), T1055 (process injection).
  4. IR playbook
    • If Task Scheduler anomalies are found, isolate hosts, preserve C:\Windows\System32\ artifacts, and collect driver inventories for BYOVD traces; reset credentials and tokens.

Differences / comparisons with other cases

  • Compared to prior SEO-poisoned Winos delivery, the Japan/Malaysia wave leans on government-looking PDFs and a Task Scheduler auto-restart trigger—reducing need for noisy autoruns.
  • The BYOVD vector (mid-2025) was focused on EDR kill pre-deployment; current HoldingHands chains emphasize service-hosted sideloading and configurable C2, indicating parallel toolsets under the same umbrella actor.

Summary / key takeaways

Silver Fox is broadening geography and toolset: HoldingHands RAT joins Winos 4.0 in Japan & Malaysia with smart service-based persistence and on-the-fly C2 updates, while the actor retains BYOVD for situations requiring EDR neutralization. Expect further regional pivots and infrastructure churn; prioritize driver-abuse monitoring, service/DLL sideload hunts, and PDF-link inspection in mail flows.

Sources / bibliography

  • Fortinet FortiGuard Labs – Tracking Malware and Attack Expansion: A Hacker Group’s Journey across Asia (Oct 17, 2025). (Fortinet)
  • The Hacker News – Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT (Oct 18, 2025). (The Hacker News)
  • Check Point Research – Chasing the Silver Fox: Cat & Mouse in Kernel Shadows (Aug 28, 2025). (Check Point Research)
  • Seqrite Labs – Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading (drops ValleyRAT) (Oct 16, 2025). (Seqrite)
  • Fortinet FortiGuard Labs – Threat Group Targets Companies in Taiwan (Jun 17, 2025). (Fortinet)

Related Posts