New Winos 4.0 Malware Targeting Windows Systems – A Rising Threat

Recent cybersecurity events have once again highlighted the rising sophistication and persistence of threat actors targeting Windows systems.

In early 2025, FortiGuard Labs detected a novel attack campaign primarily aimed at users in Taiwan, spreading the dangerous malware known as winos 4.0.

Masquerading as official emails from Taiwan’s National Taxation Bureau, threat actors are exploiting heightened vigilance during tax season to dupe victims into activating malicious payloads.

Attack Methodology and Phishing Tactics

The campaign’s modus operandi revolves around classic phishing techniques, sharpened by a keen understanding of social engineering.

Emails crafted to appear legitimate, complete with official branding, warnings about tax audits, or urgent account statements, are sent out to targeted recipients.

These messages often contain attachments or hyperlinks leading to malware-laden ZIP files.

In more recent iterations, the attackers have embedded password-protected ZIPs, distributing the password on the download page itself.

This doubles as a barrier to analysis while assuring that only real victims extract and execute the malicious code.

During execution, the malware deploys a layered approach. The ZIP file typically contains a legitimate executable, which is manipulated through side-loading to trigger a malicious DLL (often named something like dokan2.dll).

This DLL then decrypts and executes further shellcode, leveraging advanced anti-analysis and privilege escalation techniques. Notably, the malware performs environment checks against virtual machines (if RAM is less than 8GB, it aborts).

It escalates privileges to TrustedInstaller, the highest level in Windows systems. Registry keys are created as infection markers and additional payloads are dropped into system locations such as C:\Program Files (x86)\WindowsPowerShell\Update.

Technical Deep Dive: Malware Behavior and C2 Communication

The winos 4.0 campaign is powered by malware frameworks that have previously been observed in other attacks, specifically the HoldingHands Remote Access Trojan (RAT) also known as Gh0stBins which allows for persistent remote control of infected systems.

The malware’s shellcode loaders and encrypted payloads are designed to blend with legitimate system operations, making detection more challenging.

Once installed, the malware establishes communication with a Command and Control (C2) server, transmitting victim data such as system identifiers, operating system version, installed software, and even hardware specifications.

Packet structures are standardized, with the initial “magic” value (0xDEADBEEF) followed by commands for data collection, module execution, or C2 updates.

The heartbeats sent every three minutes ensure persistent communication, while activity, idle states, or direct instructions from the attacker trigger data collection commands.

Modules delivered via the C2 server include remote desktop capabilities and file managers, enabling the threat actor to steal data, drop additional tools, or pivot deeper into the network.

The malware’s modularity and the use of encrypted, side-loaded legitimate executables are key factors contributing to its success and persistence in infected environments.

The winos 4.0 campaign underscores the evolving landscape of cyber threats, where attackers continuously refine their tools and methods.

FortiGuard Labs proactively blocks these infections using advanced antivirus engines and threat intelligence, with protections such as FortiGuard CDR (Content Disarm and Reconstruction), which neutralizes malicious macros in documents.

Organizations are encouraged to keep their software up to date, enforce strict email security protocols, and educate users about the dangers of suspicious attachments and links.

Ongoing monitoring and response remain crucial, as threat actors adapt to new defenses and exploit new vectors for infection and intrusion.

IOCs

IP

154[.]91[.]85[.]204
154[.]86[.]22[.]47
156[.]251[.]17[.]17
206[.]238[.]179[.]173
206[.]238[.]220[.]60
206[.]238[.]199[.]22
154[.]91[.]85[.]201