{
	"id": "53963064-b5b6-4316-9f58-fb43f4f6d225",
	"created_at": "2026-04-06T00:10:57.47547Z",
	"updated_at": "2026-04-10T03:21:09.084286Z",
	"deleted_at": null,
	"sha1_hash": "3e534a6033a9dbe18d2db09c93cbd3bea641d8ae",
	"title": "Threat Group Targets Companies in Taiwan | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5178940,
	"plain_text": "Threat Group Targets Companies in Taiwan | FortiGuard Labs\r\nBy Pei Han Liao\r\nPublished: 2025-06-17 · Archived: 2026-04-05 20:29:47 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: The stolen information can be used for future attacks\r\nSeverity Level: High\r\nIn January 2025, FortiGuard Labs observed an attack targeting users in Taiwan. The threat actor is spreading the\r\nmalware known as winos 4.0 via an email masquerading as being from Taiwan's National Taxation Bureau.\r\nThrough continued monitoring, we identified further malware samples associated with this campaign. Among the\r\nnew samples, a phishing email was sent in March 2025 with an attachment that contained a link used in another\r\nattack campaign.\r\nFigure 1: The HTML file in the phishing email\r\nThe first link belongs to the domain twszz[.]xin, which follows a similar naming pattern to the campaign targeting\r\nusers in Taiwan. The second link directs to an image file about tax inspection, while the HTML filename claims to\r\ninclude account statement details.\r\nThis link enabled us to trace the attack and identify additional malware samples, along with further links. Figure 2\r\nprovides a simplified threat map. The files on the left side of Figure 2 are XLS files used in campaigns that took\r\nplace in June 2024.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 1 of 17\n\nFigure 2: Threat map\r\nOver the past few months, this threat group has deployed malware based on the HoldingHands RAT (Remote\r\nAccess Trojan), also known as Gh0stBins, to compromise users in Taiwan. The malware typically comprises\r\nmultiple files embedded within a ZIP file and is distributed via phishing emails.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 2 of 17\n\nFigure 3: Attack flow\r\nPhishing\r\nPhishing emails typically masquerade as messages from the government or business partners, using topics such as\r\ntaxes, pensions, invoices, and other subjects that prompt the recipient to immediately click on or open an\r\nattachment. Sometimes, the email content can be a picture with a hyperlink that asks the recipient to click on it,\r\ninadvertently downloading the malware.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 3 of 17\n\nFigure 4: An example of an email containing a picture with a hyperlink\r\nThe attached PDF file uses content related to the phishing email to trick the recipient into opening the link. In\r\nnewer attack chains, the link leads to a download page.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 4 of 17\n\nFigure 5: An example of a phishing email\r\nFigure 6: The PDF file attached to the email in Figure 3\r\nThe malware download page looks much simpler than the PDF file and email. It only contains text and a\r\ndownload button. In some attack chains, the malware is embedded in a password-protected ZIP file, and the\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 5 of 17\n\npassword is on the download page. This prevents analysts who get the ZIP file but don't have access to the\r\ndownload page from opening it.\r\nFigure 7: An example of the download page with a password\r\nZIP file\r\nMultiple files are used during the attack, including legitimate executable files and necessary DLL files, encrypted\r\nshellcode, and shellcode loaders. The shellcode loaders, which decrypt and execute the encrypted shellcode, are\r\nDLL files loaded by a legitimate executable via side-loading.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 6 of 17\n\nFigure 8: An example of the execution flow of the files in the ZIP file\r\nFigure 8 shows an example of the files embedded in the ZIP file and the execution flow. 條例檔案is the legitimate\r\nexecutable file used to load dokan2.dll via side-loading. In addition to the main execution flow, encrypted\r\nshellcodes support persistence, and empty files provide unique filenames. Although the ZIP files downloaded from\r\ndifferent PDF files and webpages may have varying folder structures and files, their execution flows are similar to\r\nthose shown in Figure 8. Sometimes, the ZIP file only contains an executable that drops the duplicate files\r\nobserved in other chains. According to the image debug directory of the executable file, the malware is based on\r\nthe HoldingHands Remote Access Trojan (RAT).\r\nFigure 9: The image debug directory of the executable file in other attack chains.\r\nOver the past two months, the ZIP file has included a text file containing the passwords for other files in the ZIP\r\nfile, which makes detection more difficult.\r\nFigure 10: An example of the password-protected ZIP file\r\nDokan2.dll\r\nDokan2.dll creates a thread to decrypt data in dxpi.txt and execute it. Before this, it calls the ShowWindow\r\nfunction to hide the executable's window for side-loading. It then searches for kernel32.dll and\r\nDwhsOqnbdrr.dll by comparing the lengths of the filenames of the files extracted from the ZIP file.\r\nDwhsOqnbdrr.dll is an empty file. By shifting each letter in the filename “DwhsOqnbdrr” forward one position\r\nin the alphabet, it becomes ExitProcess and loads the function from the kernel32.dll it just found. It replaces the\r\naddress of the ExitProcess function in the import table with the address of a function that calls the\r\nWaitForSingleObject function to wait for a signal from the thread that decrypts dxpi.txt.\r\nWhen the thread finishes, it calls the ExitProcess function that it just loaded. In the thread, it executes the 條例檔\r\n案 as an administrator if it doesn’t have high enough privileges. Then it searches for collalautriv.xml and converts\r\nthe filename to get VirtualAlloc, the API used in decryption.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 7 of 17\n\ndxpi.txt\r\ndxpi.txt executes initial setups for the next stage, including anti-VM, privilege escalation, and installation.\r\nAnti-VM\r\nThis function checks the amount of physically installed RAM because many sandboxes and virtual\r\nmachines are assigned lower amounts of memory to reduce system load. If the amount of physically\r\ninstalled RAM is less than 8 GB, it exits.\r\nPrivilege escalation\r\nFirst, it enables the SeDebugPrivilege privilege to bypass the access restriction of WinLogon. It then calls\r\nthe ImpersonateLoggedOnUser function to impersonate the user (SYSTEM) of WinLogon. Finally, it\r\nimpersonates the TrustedInstaller service’s thread to obtain the highest privilege.\r\nInstallation\r\nIt creates a registry key as an infection marker:\r\nSubkey: SOFTWARE\\MsUpTas\r\nValue name: State\r\nValue: 1\r\nIn addition, it drops other files extracted from the ZIP file to C:\\Program Files (x86)\\WindowsPowerShell\\Update.\r\nOriginal\r\nfilename \r\nAfter Filename of\r\ndropped file\r\nDescription\r\nbkproc.dll TaskServer.exe  The same file as the 條例檔案.\r\ncode.dll code.bin  It’s copied as System32\\msvchost.dat.\r\nDb.dll msgDb.dat\r\nThe malicious payload. Shellcode based on\r\nHoldingHands.\r\nDoport.dll dokan2.dll Shellcode loader for msgDb.dat.\r\nEGLProtect.dll libEGL.dll  The legitimate DLL file for 條例檔案.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 8 of 17\n\nfig32.dll config32.bin \r\nUnused. It renames the legitimate version.dll as\r\nconfVersion.dll and writes the decrypted data of\r\nconfig32.bin to SysWOW64\\version.dll if it’s used.\r\nfig64.dll config64.bin \r\nIt renames the legitimate TimeBrokerClient.dll as\r\nBrokerClientCallback.dll and writes the decrypted\r\ndata of config64.bin to TimeBrokerClient.dll.\r\nsimg32.dll simg64.dll Binary file that is used by msvchost.dat.\r\nIn addition, it terminates if BrokerClientCallback.dll and Blend.dll are present, indicating that the computer is\r\ninfected. Blend.dll is the legitimate msimg32.dll that is later renamed by msvchost.dat. After installation, it\r\nexecutes TaskServer.exe, which loads dokan2.dll via side-loading. Dokan2.dll then decrypts and executes the\r\nshellcode in msgDb.dat for the next stage.\r\nOther files\r\nfig64.dll→config64.dll→TimeBrokerClient.dll\r\nThe original TimeBrokerClient.dll is a legitimate DLL related to TaskScheduler loaded by svchost.exe.\r\nIt terminates if the calling process is not svchost.exe. After a command-line check, it decrypts and runs the\r\nshellcode in msvchost.dat.\r\ncode.dll→code.bin→msvchost.dat\r\nThe fake TimeBrokerClient.dll executes this. It only continues when the command-line is\r\nC:\\windows\\system32\\svchost.exe -k netsvcs -p -s Schedule and avp.exe (Kaspersky) is not running. After\r\nthe check, it uses the same method as dxpi.txt to escalate privileges and then copies files from C:\\Program\r\nFiles (x86)\\WindowsPowerShell\\Update to C:\\Windows\\System32:\r\nOriginal Filename Filename of dropped file Description\r\nmsgDb.dat system.dat, mymsc.nls The malicious payload.\r\ndokan2.dll dokan2.dll Shellcode loader for msgDb.dat.\r\nlibEGL.dll libEGL.dll The legitimate DLL file for 條例檔案.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 9 of 17\n\nTaskServer.exe taskyhost.exe The same file as the 條例檔案.\r\nsimg64.dll msimg32.dll Shellcode loader for system.dat.\r\nsimg32.dll→simg64.dll→msimg32.dll\r\nThe original msimg32.dll is a legitimate DLL used by Microsoft Graphical Device in many applications,\r\nincluding LINE and WeChat. The fake msimg32.dll terminates if the calling process is not LINE.exe or\r\nWeChat.exe. It also sleeps if TaskServer.exe is running. After the check, it decrypts and runs the shellcode\r\nin system.dat (the malicious payload).\r\nfig32.dll→config32.bin→SysWOW64\\version.dll (if used)\r\nThe original version.dll is a legitimate DLL file about version information used by many applications. The\r\nfake version.dll is not used in this attack chain, and its code is incomplete. By comparing its code to the\r\nversion.dll dropped in other attack chains, we assume it is a shellcode loader for the malicious payload,\r\nsimilar to msimg32.dll.\r\nmsgDb.dat\r\nMsgDb.dat implements C2 tasks for setting registry keys, data collection, and module download from the\r\nHoldingHands RAT. It also sends heartbeat packets to ensure the connection is active.\r\nBelow is the packet's data structure, excluding the header. The packets from msgDb.dat and the C2 server follow\r\nthis structure.\r\n0 1 2 3 4 5 6 7 8 9 A B C D E F\r\n0 Magic Data size Unused Command\r\n1 Payload(optional)\r\n⁞ ⁞\r\nMagic: 0xDEADBEEF\r\nData size: The size of the command and the payload\r\nThe first outgoing packet doesn’t contain a payload. The KNEL command indicates that the packet is from a\r\nkernel module. As a response, the C2 server sends a data collection request. After sending the user information,\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 10 of 17\n\nmsgDb.dat sends heartbeat packets and waits for further instructions.\r\nHeartbeat\r\nCommand: 0x12, 0x13, 0x14\r\nmsgDb.dat sends heartbeat packets every three minutes, and the C2 server responds with command 0x12.\r\nIn addition, msgDb.dat sends a packet with command 0x13 after the computer has been idle for 30\r\nseconds and 0x14 when user activity resumes.\r\nData Collection\r\nCommand: 0x00, 0x01\r\nPayload: Delivers user information, including IP address, computer name, user name, operating system,\r\narchitecture, install time, CPU frequency, number of processors, physical memory, registry values set by\r\nother commands, and the interval between pings to the C2 server.\r\nThe response command is 0x00. To get the install date, it reads the InstallDate value from the\r\nSOFTWARE\\HHClient registry key. If this is the first time the C2 server queries for this information, it writes the\r\ncurrent time to the value. The registry values set by other commands are Comment and Group from the\r\nSOFTWARE\\HHClient registry key. If the Comment value is not set, it writes default to the packet.\r\nFigure 11: The packet containing victim information\r\nEdit Comment\r\nCommand: 0x04, 0x5\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 11 of 17\n\nPayload: Value of CommentIt writes data from the server to the Comment value in the\r\nSOFTWARE\\HHClient registry key. The result is sent to the C2 server with 0x05.\r\nEdit Group\r\nCommand: 0x06\r\nPayload: Value of GroupIt writes data from the server to the Group value in the SOFTWARE\\HHClient\r\nregistry key, and the result is sent to the C2 server with 0x07.\r\nModule Info\r\nCommand: 0x0A, 0x0B\r\nPayload: Module size and module name\r\nThis is the module name and size to be executed. This is sent when the current module is not the module\r\nspecified by the server. msgDb.dat requests module data from the C2 server using the information from\r\nthe server and command 0x0B.\r\nAdd module\r\nCommand: 0x0B, 0x0C\r\nPayload: module size, data size in this packet, module data\r\nFigure 12: Packet from server\r\nOnce all data is downloaded, msgDb.dat executes the module. Otherwise, it sends 0x0B to ask for more data.\r\nDuring our analysis, we identified three modules delivered by the C2 server, including two remote desktop\r\nmodules and a file manager. msgDb.dat calls the only export function, ModuleEntry, to proceed to the next stage\r\nof the attack. Below are the commands in the initial packet:\r\nModule name Command Description\r\nrd RDTP Remote desktop\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 12 of 17\n\nrd_dxgi RDTP Remote desktop\r\nfilemgr FMGR File manager\r\nThe packets follow the same structure as msgDb.dat.\r\nFigure 13: The communication between the C2 server and the filemgr module.\r\nThe modules' image debug directories indicate that they also belong to the HoldingHands RAT. Some modules\r\nappear to be simplified versions, as indicated by the term 'jingjianban' (meaning 'lite version' in Chinese) in the\r\nImage Debug Directory.\r\nFigure 14: The image debug directory of the rd module.\r\nRun Module\r\nCommand: 0x09, 0x11\r\nPayload: Module name and function name\r\nThis command asks msgDb.dat to run the module specified by the payload. If the module is not found,\r\nmsgDb.dat sends command 0x09 along with the module name to request module information.\r\nExit\r\nCommand: 0x15\r\nTerminates.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 13 of 17\n\nOther Attack Chains\r\nIn addition to winos, which we covered in February 2025, and HoldingHands, discussed in this article, this threat\r\ngroup frequently employs Gh0stCringe. Figures 5 through 7 include screenshots of files in this attack chain.\r\nFigure 15: Attack chain of Gh0stCringe\r\nConclusion\r\nThis analysis revealed further malware samples associated with the attack that began targeting Taiwan in January\r\n2025. The attack chain comprises numerous snippets of shellcode and loaders, making the attack flow complex.\r\nHowever, the purpose of these samples is to execute a malicious payload that accesses a C2 server to receive\r\nfurther instructions. Across winos, HoldingHands, and Gh0stCring, this threat group continuously evolves its\r\nmalware and distribution strategies.\r\nFortiGuard will continue to monitor these attack campaigns and provide appropriate protections as required.\r\nFortinet Protections\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nPDF/Agent.A6DC!tr.dldr\r\nW64/ShellcodeRunner.ARG!tr\r\nW64/Agent.FIN!tr\r\nW64/HHAgent.BEE8!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each of these solutions. As a result, customers who have installed the latest updates for\r\nthese products are protected.\r\nThe FortiGuard CDR (Content Disarm and Reconstruction) service, which runs on both FortiGate and FortiMail,\r\ncan disarm malicious macros in documents.\r\nWe also suggest that organizations go through Fortinet’s free NSE training module: FCF Fortinet Certified\r\nFundamentals. This module is designed to help end users learn how to identify and protect themselves from\r\nphishing attacks.\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 14 of 17\n\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nIP\r\n154[.]91[.]85[.]204\r\n154[.]86[.]22[.]47\r\n156[.]251[.]17[.]17\r\n206[.]238[.]179[.]173\r\n206[.]238[.]220[.]60\r\n206[.]238[.]199[.]22\r\n154[.]91[.]85[.]201\r\n206[.]238[.]221[.]182\r\n206[.]238[.]196[.]32\r\n154[.]91[.]64[.]45\r\n206[.]238[.]115[.]207\r\n156[.]251[.]17[.]12\r\n107[.]149[.]253[.]183\r\nDomain\r\n00-1321729461[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\n6-1321729461[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\ntwzfte-1340224852[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\ncq1tw[.]top\r\ntwcz[.]pro\r\ntwczb[.]com\r\ntwnc[.]ink\r\ntwnic[.]icu\r\ntwnic[.]ink\r\ntwnic[.]ltd\r\ntwnic[.]xin\r\ntwsa[.]top\r\ntwsw[.]cc\r\ntwsw[.]club\r\ntwsw[.]info\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 15 of 17\n\ntwsw[.]ink\r\ntwsw[.]ltd\r\ntwsw[.]pro\r\ntwsww[.]vip\r\ntwsww[.]xin\r\ntwswz[.]top\r\ntwswzz[.]xin\r\ntwtgtw[.]net\r\ntwzfw[.]vip\r\nPhishing mail\r\n6558dfb070421c674b377a0a6090593fa0c44d5b0dec5325a648583f92175ce2\r\nd3a270d782e62574983b28bd35076b569a0b65236e7f841a63b0558f2e3a231c\r\na8430ce490d5c5fab1521f3297e2d277ee7e7c49e7357c208878f7fd5f763931\r\n7d3f352ded285118e916336da6e6182778a54dc88d4fb7353136f028ac9b81e0\r\n143f434e3a2cac478fb672b77d6c04cdf25287d234a52ee157f4f1a2b06f8022\r\nc25e80cd10e7741b5f3e0b246822e0af5237026d5227842f6cf4907daa039848\r\n7263550339c2a35f356bb874fb3a619b76f2d602064beada75049e7c2927a6dc\r\nPDF\r\na8b6c06daeede6199e69f4cafd79299219def5bf913a31829dede98a8ad2aaa9\r\n6fcd6aef0678d3c6d5f8c2cb660356b25f68c73e7ee24fbb721216a547d17ffa\r\ned72721837c991621639b4e86ffe0c2693ef1a545741b5513d204a1e3e008d8c\r\n65edd9e1a38fd3da79c8a556eb2c7c595125ffec9f7483e2e6e189a08cc5d412\r\n0a0375648bc9368bccfd3d657d26976d5b1f975381d1858d001404d807334058\r\ne809582faccdd27337aa46b4a11dd11f5d0c7d7428ebdc8c895ea80777e4da5f\r\n59d2433264d8ec9e9797918be3aa7132dbeb71e141f6e5c64c0d6f1cb4452934\r\nZIP\r\nac957ba4796f06c4bf0c0afb8674bbeb30eb95cef85bc68ced3ee1aa30e3acff\r\n9296adb71bc98140a59b19f68476d45dbb38cc60b9e263d07d14e7178f195989\r\n636c2ccffce7d4591b0d5708469070b839f221400b38189c734004641929ae05\r\n31ffa4e3638c9e094275051629cc3ac0a8c7d6ae8415bbfcacc4c605c7f0df39\r\nda3deea591b59b1a0f7e11db2f729a263439a05f3e8b0de97bbac99154297cea\r\nExecutable\r\ne2269b38655a4d75078362856c16594e195cd647c56b8c55883b8e1286baa658\r\n52632d9e24f42c4651cf8db3abc37845e693818d64ab0b11c235eddf8e011b2f\r\n7200155f3e30dbbd4c4c26ce2c7bd4878ab992b619d80b43c0bd9e17390082fc\r\ne516b102a2a6001eafb055e42feb9000691e2353c7e87e34ddaa99d7d8af16fd\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 16 of 17\n\na9ddd4e4d54336ce110fdc769ff7c4940f8d89b45ee8dc24f56fc3ea00c18873\r\na12d17cca038cdbf79b72356e5d20b17722c7b20bd2ee308601bac901890f3f4\r\nb1ac2178c90c8eafd8121d21acbae7a0eb0cbc156d4a5f692f44b28856a23481\r\na6c1629b4450f713b02d24f088c4f26b0416c6a7924dcf0477425f3a67a2e3ff\r\n3ce81c163ddedb132116cdf92aae197ced0b94f3fc3d1036f5c41b084a256a03\r\na19fdfc131e8fbe063289c83a3cdefb9fb9fb6f1f92c83b892d3519a381623db\r\ndb15f45f69f863510986fb2198a8a6b3d55d8ccc8a2ed4bb30bc27bdd1bf151c\r\nbf1a7938f61a9905e1b151c7a5f925a2ce3870b7c3e80f6e0fc07715bdc258b7\r\nf42c6949c6d8ecf648bacca08cde568f11ec2663221a97dae5fbf01218e8775a\r\nSource: https://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nhttps://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan"
	],
	"report_names": [
		"threat-group-targets-companies-in-taiwan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434257,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e534a6033a9dbe18d2db09c93cbd3bea641d8ae.pdf",
		"text": "https://archive.orkl.eu/3e534a6033a9dbe18d2db09c93cbd3bea641d8ae.txt",
		"img": "https://archive.orkl.eu/3e534a6033a9dbe18d2db09c93cbd3bea641d8ae.jpg"
	}
}