FortiGuard Labs tracked a cross-border campaign that evolved from Winos 4.0 attacks in Taiwan to new HoldingHands variants impacting Taiwan, Japan, China, and Malaysia, using phishing PDFs/HTML/Excel lures and cloud or custom domains for payload delivery. Investigation linked incidents via shared Tencent Cloud APPIDs, common domains/IPs (e.g., 156[.]251[.]17[.]9), code reuse (BackDoor.pdb, svchost.ini), and operational tactics like Task Scheduler-triggered execution. #HoldingHands #Winos4.0
Keypoints
- Campaign began with Winos 4.0 attacks in Taiwan (Jan 2025) and expanded to HoldingHands variants across Taiwan, Japan, China, and Malaysia.
- Phishing lures included PDFs, Word, HTML, and Excel files impersonating government documents and purchase orders, often hosting multiple links.
- Many malicious links pointed to Tencent Cloud storage; unique APPID/ID values enabled clustering of related files and campaigns.
- Payload delivery used custom domains (often containing “tw”) and multi-stage flows delivering signed EXEs and side-loaded DLLs with embedded debug paths (BackDoor.pdb).
- Later variants moved from direct execution to Task Scheduler–triggered stages to evade behavior-based detection and run in system service contexts.
- Technical chain involves dokan2.dll (malicious Dokany DLL loader), sw.dat (installer with anti-VM and privilege escalation), msvchost.dat/system.dat (encrypted shellcode/payload), and TimeBrokerClient.dll (loader verifying svchost process and decrypting/allocating memory).
- HoldingHands added a registry-based C2 IP update mechanism (HKEY_CURRENT_USERSOFTWAREHHClient, AdrrStrChar) and changed terminate command IDs.
MITRE Techniques
- [T1566 ] Phishing – Phishing emails with PDFs/HTML/Word/Excel lures impersonating government documents and embedding download links (“phishing emails with PDFs that contained embedded malicious links”).
- [T1190 ] Exploit Public-Facing Application – Use of web pages and custom domains to host downloadable ZIP/EXE payloads and JSON-served links to frustrate analysis (“the actual download link is fetched from the JSON data, rather than being stored in the script on the page”).
- [T1218 ] System Binary Proxy Execution (svchost.exe) – Indirect execution via Task Scheduler and svchost.exe hosting to load malicious DLLs (“Task Scheduler … svchost.exe is executed and loads the malicious TimeBrokerClient.dll”).
- [T1547 ] Boot or Logon Autostart Execution (Task Scheduler) – Use of Windows Task Scheduler to trigger later stages of the attack (“later stages are now triggered by the Windows Task Scheduler service”).
- [T1027 ] Obfuscated Files or Information – Encrypted .dat files (msvchost.dat/system.dat) and use of svchost.ini RVA values to compute VirtualAlloc addresses (“svchost.ini … RVA of VirtualAlloc function” and encrypted data in msvchost.dat/system.dat).
- [T1055 ] Process Injection – Injecting decrypted payload into taskhostw.exe and monitoring/injecting into new instances (“launch taskhostw.exe, where the decrypted data of system.dat is injected”).
- [T1543 ] Create or Modify System Process – Manipulation of service recovery and Task Scheduler to trigger malicious DLL loading (“terminate the Task Scheduler. The Task Scheduler’s recovery setting is configured to restart the service one minute after it fails”).
- [T1078 ] Valid Accounts / Use of Legitimate Credentials or Signed Binaries – Use of a legitimately signed EXE to evade detection (“The EXE carries a legitimate digital signature to evade detection”).
- [T1086 ] PowerShell / Scripting – Repeated use of page scripts to fetch JSON-hosted download links and obfuscate direct associations (“the actual download link is fetched from the JSON data, rather than being stored in the script on the page”).
- [T1136 ] Create Account / Account Manipulation – Use of cloud storage APPID/IDs to cluster malicious files across campaigns (analysts followed APPID values to find related Tencent Cloud links and files).
Indicators of Compromise
- [Domain ] phishing and payload hosting – examples: twsww[.]xin, twswzz[.]xin, twczb[.]com
- [IP ] command-and-control and infrastructure – examples: 156[.]251[.]17[.]9 (HoldingHands C2), 54.91.64.45; and other IPs: 206[.]238.[.]199[.]222, 206[.]238.221.244 (and additional listed IPs)
- [File name ] distribution lures and dropped components – examples: Dokumen audit cukai dan sampel bahan.exe (social-engineering lure), svchost.ini (RVA info), msvchost.dat (encrypted shellcode)
- [Debug path ] code reuse linking builds – example: D:WorkspaceHoldingHands-developHoldingHands-developDoorx64ReleaseBackDoor.pdb
- [SHA256 ] malware samples – example: c138ff7d0b46a657c3a327f4eb266866957b4117c05075… (long hash list; and 2 more hashes)