Tuesday, May 6, 2025
HomeCyber Security NewsWinos4.0 Malware Targets Windows Users Through Malicious PDF Files

Winos4.0 Malware Targets Windows Users Through Malicious PDF Files

Published on

SIEM as a Service

Follow Us on Google News

A new wave of cyberattacks leveraging the Winos4.0 malware framework has targeted organizations in Taiwan through malicious PDF attachments disguised as tax inspection alerts, according to a January 2025 threat analysis by FortiGuard Labs. 

The campaign employs multi-stage payload delivery, anti-forensic techniques, and automated security bypass mechanisms to establish persistent access to victim networks while evading detection.

Phishing Campaign Masquerades as Tax Authority Communications

The attack chain begins with phishing emails purportedly sent from Taiwan’s National Taxation Bureau, claiming to contain a list of enterprises scheduled for tax audits. 

- Advertisement - Google News
Phishing mail
Phishing mail

These emails direct recipients to download a malicious ZIP archive attached to a PDF document formatted as an official Ministry of Finance memorandum.

Analysis reveals the PDF (detected as PDF/Agent.A6DC!tr.dldr) contains socially engineered text prompting victims to extract and execute the “20250109.exe” loader from the attached archive.

FortiGuard researchers note this represents a tactical shift from earlier Winos4.0 distribution methods observed in November 2024, which relied on compromised gaming applications. 

The strategic use of tax-themed lures during fiscal year-end periods increases click-through rates among corporate finance teams, particularly treasurers explicitly named in the phishing content.

Technical Execution Flow and Evasion Mechanisms

Upon execution, the loader initiates a three-stage process:

  1. Fake Application Execution: The “ApowerREC.exe” file (a renamed malicious loader) triggers the import of “lastbld2Base.dll”, whose DLLMain function decrypts embedded shellcode containing C2 server configurations (IP 9010[.]360sdgg[.]com) and modular plugin parameters.
The entry point of the fake ApowerREC.exe
The entry point of the fake ApowerREC.exe
  1. Anti-Analysis Countermeasures: The shellcode performs sandbox detection via sequential screenshot differential analysis, requiring >20,000 pixel variations between images captured at 2-second intervals to confirm human activity. This stalls automated analysis systems for up to one hour before proceeding.
  2. Registry-Based Payload Storage: Encrypted Winos4.0 modules write to HKEY_CURRENT_USER\B118D5E900008F7A, with secondary shellcode dynamically resolving API calls to unpack the final payload.

The core “loginmodule.dll” establishes eight concurrent threads for lateral movement and data harvesting1:

  • MainThread: Disables screen savers via SPI_SETSCREENSAVEACTIVE and forced system wake states (ES_AWAYMODE_REQUIRED). Modifies UAC policies by setting ConsentPromptBehaviorAdmin and PromptOnSecureDesktop registry values to 0 under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System1.
  • Anti-AV Thread: Terminates TCP connections associated with 360Safe, Kingsoft, and Huorong security processes using GetTcpTable2 API hooking.
  • Clipboard Hijacking: Replaces financial keywords in clipboard data using regex patterns stored in HKEY_CURRENT_USER\B118D5E900008F7A\clipboarddata.

Forensic artifacts show the malware creates mutex objects like Global\MainThreadB118D5E900008F7A to prevent redundant infections and writes keylogged data to C:\ProgramData\B118D5E900008F7A\Regedit.log.

Mitigation Strategies and Defensive Countermeasures

FortiGuard’s response team recommends:

  1. Enabling Content Disarm & Reconstruction (CDR) on email gateways to neutralize malicious PDF macros.
  2. Monitoring registry modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System for UAC bypass attempts.
  3. Deploying behavioral analysis tools to detect screenshot frequency anomalies and unscheduled system wake events.

Fortinet’s anti-malware suite now blocks associated indicators as W32/Agent.7BBA!tr and W64/ValleyRat.A!tr.spy, with IP reputation services blacklisting confirmed C2 endpoints.

Encrypted data from the C2 server
Encrypted data from the C2 server

Geopolitical Implications and Campaign Attribution

While no explicit attribution exists, targeting Taiwanese fiscal systems and using Simplified Chinese annotations in USB device logs (“USB device inserted/removed”) suggest potential ties to cross-strait advanced persistent threat groups. 

The malware’s infrastructure overlaps with domains previously hosting gaming malware, indicating possible reuse of operational resources across campaigns.

FortiGuard Labs advises organizations to prioritize NSE cybersecurity training modules focused on phishing identification and to implement application allowlisting for executable files. 

As Winos4.0 continues evolving its evasion toolkit, multi-layered defenses combining endpoint detection and network traffic analysis remain critical to mitigating these surgically precise attacks.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...