Knock, knock — The Winos 4.0 & HoldingHands RAT Phishing Plague
- Javier Conejo del Cerro
- hace 4 dÃas
- 4 Min. de lectura
The infection began with a whisper, not a roar.
From the shadows of East Asia, the Chinese cybercrime collective Silver Fox — also tracked as SwimSnake or ValleyRAT — has unleashed a new wave of Winos 4.0 and HoldingHands RAT infections. What started as regionally focused operations in China and Taiwan has now spread its contagion to Japan and Malaysia, turning tax-themed PDFs into delivery vessels for remote access trojans descended from the old Gh0st RAT lineage.
These attacks, far from random, fuse espionage with precision: phishing emails disguised as financial or government notices, leading to ZIP archives that execute staged loaders, sideload malicious DLLs, disable antivirus, escalate privileges to TrustedInstaller, and silently deploy RAT payloads capable of total system takeover.
This is not just a malware campaign — it’s a biological metaphor in motion: infection, incubation, escalation, and exfiltration.
The plague spreads by human curiosity and administrative habit.
Phase 1 — The Contagion Begins
The first stage of the plague arrived through the inbox.
Victims — primarily office employees, HR staff, and finance clerks — received PDF attachments posing as tax drafts or excise audits. The PDFs were professional, multilingual, and tailored to the region, embedding links that redirected to malicious landing pages.
Once clicked, victims were prompted to download what appeared to be a ZIP package of official financial forms. Inside lurked a disguised executable — the initial dropper. By relying on regional government themes and familiar file formats, Silver Fox bypassed both common sense and most security filters.
It was a familiar scene for threat researchers: polished phishing lures, localized language, and carefully timed delivery to coincide with fiscal deadlines. Each opened PDF was an open wound.
Phase 2 — Incubation and Systemic Infection
When the patient clicked, the malware began its silent work.
The executable within the ZIP sideloaded a malicious DLL — a long-favored evasion trick. Multiple components were dropped into the C:\Windows\System32 directory:
svchost.ini, TimeBrokerClient.dll (renamed as BrokerClientCallback.dll), msvchost.dat, system.dat, and an unused wkscli.dll.
This stage saw the emergence of sw.dat, a loader script responsible for decrypting and injecting shellcode, disabling AV engines like Avast, Norton, and Kaspersky, and checking for virtual machines or debugging environments. The malware then exploited Windows’ TrustedInstaller privileges, impersonating system-level accounts to rename protected DLLs and secure persistence.
Finally, by hijacking the Windows Task Scheduler, the infection ensured that every reboot triggered its rebirth. The scheduler’s recovery mechanism — restarting the svchost.exe service after failure — allowed the malware to re-execute without any visible parent process.
Detection became almost impossible; the contagion had adapted to the immune system.
Phase 3 — The Symptoms Manifest
Once persistence was achieved, the real damage began.
The malicious DLL loaded memory allocations defined in svchost.ini, decrypted msvchost.dat, and unpacked the true payload hidden in system.dat: HoldingHands RAT. This trojan reached out to its command-and-control servers, sending host information and establishing a heartbeat every 60 seconds to maintain remote control.
From there, attackers could issue arbitrary commands, capture screenshots, harvest clipboard contents, steal credentials, and exfiltrate files to external servers.
In parallel, Winos 4.0 infections — often delivered through SEO-poisoned search results or separate phishing chains — extended the same capability set. Both families, HoldingHands and Winos, share DNA with the original Gh0st RAT, whose leaked code continues to empower new Chinese-linked actors over a decade later.
The pattern is clear: adapt, infect, persist, and observe. Silver Fox does not burn systems for profit — it colonizes them for intelligence.
Phase 4 — Containment and Countermeasures
Researchers at Fortinet’s FortiGuard Labs and other threat intelligence teams have tracked these infections since mid-2025, confirming cross-regional expansion and technical overlap between Silver Fox’s criminal and espionage operations.
To contain the spread, organizations are urged to act decisively:
Block and quarantine suspicious PDFs and ZIPs, especially those claiming financial or tax context.
Restrict DLL sideloading and whitelist only trusted executables.
Harden privileged accounts, disable local admin roles where unnecessary, and monitor for TrustedInstaller impersonation.
Audit the Task Scheduler for hidden or renamed DLL triggers.
Enable tamper protection in AV/EDR tools and monitor for mass service terminations.
Inspect outbound HTTPS traffic for beaconing intervals or anomalous persistence patterns.
Educate HR and finance departments — the primary entry points — to treat unsolicited attachments as high-risk.
The infection cycle can only be broken through human vigilance combined with technical hygiene.
The Winos 4.0 / HoldingHands RAT operations exemplify the evolution of Chinese-linked threat groups from brute-force intrusion to biological precision warfare in cyberspace: infections that mimic life, adapting to each host and environment.
What distinguishes Silver Fox is not the novelty of its tools but the discipline of its delivery — carefully timed, contextually disguised, and regionally localized. Every stage, from the PDF lure to the TrustedInstaller escalation, is engineered to exploit trust and routine.
For defenders, the prescription is simple yet demanding:
treat every attachment as a vector, every privilege as a potential vulnerability, and every scheduled task as a heartbeat worth monitoring.
In a digital ecosystem still learning from past pandemics like Gh0st RAT, this new plague reminds us that malware — like disease — survives through familiarity and complacency.
The cure lies in constant awareness, segmented systems, and a security culture immune to routine deception.
Silver Fox’s plague may infect quietly, but it speaks loudly: in cyberspace, every click is contact — and contact spreads contagion.
The Hacker News
Fortinet