Cybersecurity researchers have identified an expansion in the targeting footprint of the threat actors behind the Winos 4.0 malware, also known as ValleyRAT. Previously focused on China and Taiwan, the group’s campaigns now target entities in Japan and Malaysia. This recent wave of attacks utilizes an additional remote access trojan (RAT) which has been tracked as HoldingHands RAT, or Gh0stBins. The operation is linked to an aggressive Chinese cybercrime group and marks a significant geographical expansion of their activities.

Phishing Campaign Leverages Malicious PDFs

The primary delivery method for this campaign involves sophisticated phishing techniques. According to Pei Han Liao, a researcher with Fortinet’s FortiGuard Labs, “The campaign relied on phishing emails with PDFs that contained embedded malicious links.” These deceptive files were carefully crafted to look like official documents originating from the Ministry of Finance. The PDFs contained multiple links, but one specifically delivered the Winos 4.0 malware payload to the victim’s system, exploiting the user’s trust in official-looking communications.

SEO Poisoning and Software Masquerading

Winos 4.0 is a malware family known for its diverse distribution methods, including phishing and search engine optimization (SEO) poisoning. In other campaigns, the threat actors use SEO poisoning to guide unsuspecting users to malicious websites. These sites are designed to impersonate the legitimate download pages for popular software applications. The list of spoofed software is extensive and includes well-known names such as Google Chrome, Telegram, Youdao, Sogou AI, WPS Office, and DeepSeek. By luring users into downloading these tainted installers, the attackers gain initial access to the target networks.