By Pei Han Liao | February 27, 2025
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High
In January 2025, FortiGuard Labs observed an attack that used Winos4.0, an advanced malware framework actively used in recent threat campaigns, to target companies in Taiwan. Figure 1 shows an example of the attack chain. Usually, there is a loader that is only used to load the malicious DLL file, and the Winos4.0 module is extracted from the shellcode downloaded from its C2 server.
Figure 1: Attack flow
Phishing
According to a report released in November 2024, Winos4.0 was distributed through gaming-related applications, however, it spread via an email masquerading as from Taiwan's National Taxation Bureau in the campaign in January 2025. The sender claimed that the malicious file attached was a list of enterprises scheduled for tax inspection and asked the receiver to forward the information to their company's treasurer.