Jun 17, 2025Ravie LakshmananMalware / Electronic mail Safety
Cybersecurity researchers are warning of a brand new phishing marketing campaign that is focusing on customers in Taiwan with malware households comparable to HoldingHands RAT and Gh0stCringe.
The exercise is a part of a broader marketing campaign that delivered the Winos 4.0 malware framework earlier this January by sending phishing messages impersonating Taiwan’s Nationwide Taxation Bureau, Fortinet FortiGuard Labs mentioned in a report shared with The Hacker Information.
The cybersecurity firm mentioned it recognized further malware samples via steady monitoring and that it noticed the identical menace actor, known as Silver Fox APT, utilizing malware-laced PDF paperwork or ZIP recordsdata distributed by way of phishing emails to ship Gh0stCringe and a malware pressure based mostly on HoldingHands RAT.
It is price noting that each HoldingHands RAT (aka Gh0stBins) and Gh0stCringe are variants of a identified distant entry trojan known as Gh0st RAT, which is extensively utilized by Chinese language hacking teams.
The place to begin of the assault is a phishing e mail that masquerades as messages from the federal government or enterprise companions, using lures associated to taxes, invoices, and pensions to influence recipients into opening the attachment. Alternate assault chains have been discovered to leverage an embedded picture that, when clicked, downloads the malware.
The PDF recordsdata, in flip, comprise a hyperlink that redirects potential targets to a obtain web page internet hosting a ZIP archive. Current throughout the file are a number of reputable executables, shellcode loaders, and encrypted shellcode.
The multi-stage an infection sequence entails the usage of the shellcode loader to decrypt and execute the shellcode, which is nothing however DLL recordsdata sideloaded by the reputable binaries utilizing DLL side-loading methods. Intermediate payloads deployed as a part of the assault incorporate anti-VM and privilege escalation in order to make sure that the malware runs unimpeded on the compromised host.
The assault culminates with the execution of “msgDb.dat,” which implements command-and-control (C2) capabilities to gather person data and obtain further modules to facilitate file administration and distant desktop capabilities.
Fortinet mentioned it additionally found the menace actor propagating Gh0stCringe by way of PDF attachments in phishing emails that take customers to doc obtain HTM pages.
“The assault chain contains quite a few snippets of shellcode and loaders, making the assault circulation advanced,” the corporate mentioned. “Throughout winos, HoldingHands, and Gh0stCringe, this menace group constantly evolves its malware and distribution methods.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.
