Threat Group Targets Companies in Taiwan

In January 2025, a threat group targeted users in Taiwan using the HoldingHands RAT, distributing malware via phishing emails disguised as official government messages. This campaign involved complex attack chains with multiple loaders and shellcode snippets, continuously evolving alongside other malware families like winos 4.0 and Gh0stCringe. #HoldingHandsRAT #winos4.0 #Gh0stCringe #TaiwanPhishingCampaign

Keypoints

The threat group distributes HoldingHands RAT malware through phishing emails impersonating Taiwan’s National Taxation Bureau.
The malware is delivered via password-protected ZIP files containing legitimate executables, DLLs, encrypted shellcode, and loaders.
Phishing emails use tax and financial topics to trick users into clicking links or opening malicious attachments.
Malware employs DLL side-loading techniques with files such as dokan2.dll to decrypt and execute shellcode.
dxpi.txt executes anti-VM checks, privilege escalation, persistence via registry modification, and drops multiple payload files.
msgDb.dat manages C2 communication, executing remote desktop and file manager modules derived from HoldingHands RAT.
The threat actor also uses other malware families like winos 4.0 and Gh0stCringe in related campaigns.

MITRE Techniques

[T1566] Phishing – The threat actor uses phishing emails masquerading as government communications to deliver malicious attachments and links (‘Phishing emails typically masquerade as messages from the government…’).
[T1218] Signed Binary Proxy Execution – Side-loading of DLLs like dokan2.dll by legitimate executables is used to execute encrypted shellcode (‘条列檔案 is the legitimate executable used to load dokan2.dll via side-loading.’).
[T1086] PowerShell – The malware drops files to and executes from WindowsPowerShell folders to facilitate persistence (‘It creates a registry key as an infection marker… and drops other files extracted from the ZIP file to C:Program Files (x86)WindowsPowerShellUpdate.’).
[T1543] Create or Modify System Process – The malware grants itself elevated privileges and impersonates system services (‘It then calls the ImpersonateLoggedOnUser function to impersonate the user (SYSTEM) of WinLogon.’).
[T1055] Process Injection – The decryption and execution of encrypted shellcode is conducted within the context of legitimate processes (‘Dokan2.dll creates a thread to decrypt data in dxpi.txt and execute it.’).
[T1573] Encrypted Channel – Communication with the C2 server for data collection and command execution uses encrypted packets (‘MsgDb.dat implements C2 tasks… The packets from msgDb.dat and the C2 server follow this structure.’).
[T1547] Boot or Logon Autostart Execution – Persistence is achieved by creating registry keys under SOFTWAREMsUpTas (‘It creates a registry key as an infection marker: Subkey: SOFTWAREMsUpTas Value name: State Value: 1’).

Indicators of Compromise

[IP Address] Malicious infrastructure used in campaigns – 154.91.85.204, 206.238.179.173, and 7 more IPs.
[Domain] Command and control and download domains – twszz.xin, twcz.pro, twsa.top, and multiple myqcloud.com subdomains.
[File Hash – Phishing Email] Hash of phishing email used to deliver malware – 6558dfb070421c674b377a0a6090593fa0c44d5b0dec5325a648583f92175ce2d.
[File Hash – PDF Attachment] Hash of malicious PDF attached in phishing email – a8b6c06daeede6199e69f4cafd79299219def5bf913a31829dede98a8ad2aaa9.
[File Hash – ZIP File] Hash of password-protected ZIP file containing malware components – ac957ba4796f06c4bf0c0afb8674bbeb30eb95cef85bc68ced3ee1aa30e3acff.
[File Hash – Executable] Hash of legitimate executable used in side-loading – e2269b38655a4d75078362856c16594e195cd647c56b8c55883b8e1286baa6585.