{
	"id": "4e1145ea-1e96-4f1d-92a9-056b843673fa",
	"created_at": "2026-04-06T00:21:19.542348Z",
	"updated_at": "2026-04-10T03:20:52.49706Z",
	"deleted_at": null,
	"sha1_hash": "6b89fbf3b0f09cb041be6194badc50bda69b9209",
	"title": "Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3573582,
	"plain_text": "Winos 4.0 Spreads via Impersonation of Official Email to Target\r\nUsers in Taiwan | FortiGuard Labs\r\nBy Pei Han Liao\r\nPublished: 2025-02-27 · Archived: 2026-04-05 15:49:18 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: The stolen information can be used for future attack\r\nSeverity Level: High\r\nIn January 2025, FortiGuard Labs observed an attack that used Winos4.0, an advanced malware framework\r\nactively used in recent threat campaigns, to target companies in Taiwan. Figure 1 shows an example of the attack\r\nchain. Usually, there is a loader that is only used to load the malicious DLL file, and the Winos4.0 module is\r\nextracted from the shellcode downloaded from its C2 server.\r\nFigure 1: Attack flow\r\nPhishing\r\nAccording  to a report released in November 2024, Winos4.0 was distributed through gaming-related applications,\r\nhowever, it spread via an email masquerading as from Taiwan's National Taxation Bureau in the campaign in\r\nJanuary 2025. The sender claimed that the malicious file attached was a list of enterprises scheduled for tax\r\ninspection and asked the receiver to forward the information to their company's treasurer.\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 1 of 15\n\nFigure 2: Phishing mail\r\nThe attachment also masquerades as an official document from the Ministry of Finance. It asks the victim to\r\ndownload the attached list of enterprises slated for tax inspection. However, the list is a ZIP file containing\r\nmalicious DLL for the next attack stage.\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 2 of 15\n\nFigure 3: PDF file in the phishing email\r\nlastbld2Base.dll and its shellcode\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 3 of 15\n\nThe files in the ZIP file are executed in the following sequence: 20250109.exe, ApowerREC.exe, and\r\nlastbld2Base.dll. 20250109.exe is a launcher originally used to execute the actual APowerREC.exe in\r\n./app/ProgramFiles. The attacker created the same folder structure in the ZIP file and used a loader to replace\r\nApowerREC.exe. The fake ApowerREC.exe does nothing but call a function imported from lastbld2Base.dll.\r\nWhen an executable file is run, it loads all necessary DLL files and executes their entry functions. As a result, the\r\nDLLMain function of lastbld2Base.dll, where the malicious code is located, is loaded when the fake\r\nApowerREC.exe is executed.\r\nFigure 4: The entry point of the fake ApowerREC.exe\r\nLastbld2Base.dll decrypts its data to get the shellcode for the next stage. At the bottom of the shellcode are\r\nconfigurations, including the IP address of the C2 server, the name of the base registry key for the next stage, and\r\nflags for features for the current stage.\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 4 of 15\n\nFigure 5: The configuration at the bottom of the shellcode\r\nThe optional features include permission evaluation, hiding the window of the current process, and anti-sandbox\r\nfunctions. If higher permission is needed in this attack, it tests the current permissions by opening the registry key\r\nHKEY_LOCAL_MACHINE\\SOFTWARE and executing ApowerREC.exe as an administrator.\r\nFor the anti-sandbox function, it takes two screenshots within a two-second interval. If there are more than 20,000\r\ndifferent pixels in the second screenshot, which means a user is active on the computer, it performs its remaining\r\ntasks. Otherwise, it continues taking screenshot and compares it with the first one for at most one hour. After the\r\noptional features are run, it downloads the encrypted shellcode data and the Winos4.0 module from its C2 server.\r\nThe encrypted data is written to HKEY_CURRENT_USER\\B118D5E900008F7A, the base registry for\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 5 of 15\n\nconfigurations in the next stage, with a value name of “0”. After this, it decrypts the data to get the shellcode,\r\nfollowed by partially decrypted data of the module.\r\nShellcode from server\r\nThe new shellcode decrypts the data with another algorithm to get a DLL file and parses its export table to get the\r\naddress of the only export function.\r\nFigure 6: Data for the Winos4.0 module follows the shellcode\r\n登录模块.dll(login module)\r\nIn this attack, the module from the C2 server creates eight threads to perform different tasks: MainThread,\r\nCloseWindow, Screenshot, Keylog, Clipboard, USB, ReadReg, and Anti-AV.\r\nMainThread\r\nMutex: Global\\MainThreadB118D5E900008F7A\r\nThe MainThread creates the remaining seven threads. In addition, it performs the following actions:\r\nPersistence\r\nIf the parent process is service.exe, it drops its copy as\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 6 of 15\n\nC:\\ProgramData\\BITTS2.exe\r\nDeactivate screen saver\r\nIt calls the following APIs with specific constants to ensure the computer stays active\r\nAPI Constant Description\r\nSystemParametersInfoW SPI_SETSCREENSAVEACTIVE\r\nDeactivates the screen\r\nsaver\r\nSetThreadExecutionState\r\nES_CONTINUOUS\r\nES_AWAYMODE_REQUIRED\r\nES_SYSTEM_REQUIRED\r\nEnables the Away\r\nmode so the program\r\nkeeps working while\r\nthe computer appears\r\nto be sleeping\r\nPowerSetRequest PowerRequestDisplayRequired\r\nThe display remains\r\non even if the\r\ncomputer is idle\r\nBypass UAC\r\nBypasses the UAC (User Account Control) prompt by changing the following registry key values into\r\nspecific values:\r\nRegistry key:\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nValue name: ConsentPromptBehaviorAdmin\r\nValue: 0\r\nDescription: Allows the Consent Admin to perform an operation that requires elevation without\r\nconsent or credentials.\r\nRegistry key:\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nValue name: PromptOnSecureDesktop\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 7 of 15\n\nValue: 0\r\nDescription: Disables secure desktop prompting\r\nExecute DLL\r\nIt decrypts data stored in values of HKEY_CURRENT_USER\\B118D5E900008F7A\\PLUG\\0\\{key name}.\r\nThe result can be written to a file named {key name}.dll or loaded in memory.\r\nFigure 7: Encrypted data from the C2 server.\r\nCollect user information\r\nIt collects the computer name, architecture, version, anti-virus software, video capture device, and\r\ntimestamp.\r\nCloseWindow\r\nMutex: Global\\ClosewWindow\r\nIt calls the EnumWindows function to enumerate all visible windows to find the windows of kxecenter(Kingsoft\r\nSecurity) and HipsTray(Huorong). It checks the window's width to ensure it is the security prompt window. When\r\nthe target window is found, it clicks the \"Permit\" button on the prompt window.\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 8 of 15\n\nFigure 8: Huorong prompt window\r\nScreenshot\r\nMutex: Global\\ScreenShotB118D5E900008F7A\r\nIt takes screenshots of applications that contain the keywords stored in the value picshotdata of\r\nHKEY_CURRENT_USER\\B118D5E900008F7A, and the screenshots are saved to\r\nC:\\ProgramData\\B118D5E900008F7A\\{keyword}\\{Date}.\r\nIf picshotdata doesn’t exist, this thread will not be executed.\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 9 of 15\n\nFigure 9: An example of the folder structure\r\nKeylog\r\nMutex: Global\\KeylogB118D5E900008F7A\r\nIt keeps checking the value of the KEYLOG of HKEY_CURRENT_USER\\B118D5E900008F7A. If the value is\r\n1, it creates a mutex C:\\ProgramData\\B118D5E900008F7A\\Regedit.log and starts recording the user's keystrokes\r\nand the contents in the clipboard. The data is written to C:\\ProgramData\\B118D5E900008F7A\\Regedit.log.\r\nFigure 10: An example of the Regedit.log.\r\nClipboard\r\nMutex: Global\\ClipboardB118D5E900008F7A\r\nIt replaces keywords in the clipboard with the text stored in the registry value clipboarddata of\r\nHKEY_CURRENT_USER\\B118D5E900008F7A. The value contains three properties: Mode, Expression,\r\nand Replace. When Mode is “Modify,” Expression specifies the pattern to look for in the clipboard,\r\nand Replace specifies the replacement.\r\nIf clipboarddata doesn’t exist, this thread will not be executed.\r\nUSB\r\nMutex: Global\\UsbB118D5E900008F7A\r\nIt collects the names of connected USB devices every three seconds except for those that include the following\r\nkeywords: mouse, keyboard, wlan, lenovo, and sanmsung (misspelling of samsung). If a new USB device is\r\ninserted or removed, it updates the device list with a Chinese annotation that means “USB device inserted” or\r\n“USB device removed.”\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 10 of 15\n\nFigure 11: Recording changes of the connected device list in Chinese.\r\nReadReg\r\nIt reads the value B118D5E900008F7A0 from HKCU\\Console to get the shellcode and execute it every five\r\nseconds.\r\nAnti-AV\r\nFirst, it bypasses the UAC prompt by modifying the registry key values mentioned in MainThread. Then, it calls\r\nGetTcpTable2 to obtain active TCP connections. If a TCP connection is owned by 360Safe, Kingsoft, or Huorong\r\nprocesses, it disables it.\r\nOther Attack Chain\r\nThere are other attack chains used in this campaign.\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 11 of 15\n\nFigure 12: Another attack flow\r\nThe查看10.exe(view10) is compiled from a Python script by Nuitka, and it loads Python311.dll, which is the\r\nmalicious file. The shellcode from Python311.dll decrypts its data to get a DLL file that writes another shellcode\r\nto the registry value of hrqnmlb{XXXXXX} of the HKCU\\Console\\, and the shellcode is also saved as bb.jpg in\r\nC:\\Users\\Public\\Download. The shellcode plays the same role as the shellcode from lastbld2Base.dll we\r\nmentioned above. However, its marker string is used by a version preceding the one described in a report released\r\nin November 2024.\r\nFigure 13: The shellcode in the registry key and bb.jpg\r\nAnother point worth mentioning is that the DLL contains multiple snippets of shellcode that are identical to Figure\r\n13 except for the C2 domain. While only  9010[.]360sdgg[.]com is used in this attack, other domains have been\r\nobserved in different campaigns.\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 12 of 15\n\nFigure 14: Multiple snippets of shellcode are found in the DLL file.\r\nThe 上线模块.dll(online module) is used to take screenshots of WeChat and the online bank, and the akagi.exe is\r\na module of UACMe.\r\nConclusion\r\nWinos4.0 makes good use of registry keys. The C2 server writes most configurations for optional features and\r\nencrypts data to the values of the base registry key and its subkeys. This provides the flexibility of optional\r\nfeatures. However, it’s also a good hint for forensic analysis. We can rebuild files from the data and perform\r\nfurther analysis. FortiGuard will continue monitoring these attack campaigns and providing appropriate\r\nprotections as required.\r\nFortinet Protections\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nPDF/Agent.A6DC!tr.dldr\r\nW32/Agent.7BBA!tr\r\nW64/UACMe.O!tr\r\nW64/ValleyRat.A!tr.spy\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date\r\nprotections are protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service, which runs on both FortiGate and FortiMail,\r\ncan disarm the malicious macros in the document.\r\nWe also suggest that organizations go through Fortinet’s free NSE training module: FCF Fortinet Certified\r\nFundamentals. This module is designed to help end users learn how to identify and protect themselves from\r\nphishing attacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 13 of 15\n\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nIP\r\n43[.]137[.]42[.]254\r\n206[.]238[.]221[.]60\r\n206[.]238[.]221[.]240\r\n124[.]156[.]100[.]172\r\n206[.]238[.]221[.]244\r\nDomain\r\n1234[.]360sdgg[.]com\r\n9001[.]360sdgg[.]com\r\n9002[.]360sdgg[.]com\r\n9003[.]360sdgg[.]com\r\n9005[.]360sdgg[.]com\r\n9006[.]360sdgg[.]com\r\n9007[.]360sdgg[.]com\r\n9009[.]360sdgg[.]com\r\n9010[.]360sdgg[.]com\r\nffggssa-1329400280[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\nfuued5-1329400280[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\n0107-1333855056[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\nrgghrt1140120-1336065333[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\nhei-1333855056[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\nchakan202501-1329400280[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\nwrwyrdujtw114117-1336065333[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\nfdsjg114-1336065333[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\nsjujfde-1329400280[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\nhtrfe4-1329400280[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\n0611-1333855056[.]cos[.]ap-guangzhou[.]myqcloud[.]com\r\ntwzfw[.]vip\r\nPhishing mail\r\n36afc6d5dfb0257b3b053373e91c9a0a726c7d269211bc937704349a6b4be9b9\r\n0e3c9af7066ec72406eac25cca0b312894f02d6d08245a3ccef5c029bc297bd2\r\n67395af91263f71cd600961a1fd33ddc222958e83094afdde916190a0dd5d79c\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 14 of 15\n\nf4d3477a19ff468d234a5e39652157b2181c8b51c754b900bcfa13339f577e7c\r\nc9a8db23d089aa71466b4bde51a51a8cfdcc28e8df33b4c63ce867bd381e5fe5\r\nPDF\r\ne2b75baeb7ed21fb8f27984f941286770d1c3c0b60fce8d7fa5b167bd24ba6dc\r\ndffbeefc632b20d2ef867553684e9971ab76e1223e743604a5275713423b6168\r\n20c34b5f0983021414b168913c3da267caf298d8f0f5e3ec0ce97db5f4f48316\r\n6c33715a14fdc917b5b09b6e1b5dad07bb769493eafbf7ca1023830b4059e003\r\n75a4d75c35724140149c9c5056c1bcbd328bbe1e5d1d1ef34205ed5442d2b348\r\nfed394a3653b7c6fcc1b277eda6e18eb0983a7e024be5b51e5188b3cfb9512e8\r\na067d848f099e6d1e465f9761a5b85392d550303bfa75fac920d444fd980c949\r\nc55757075259fa4be6941dd273c4a4a2fcc29e6ba427dec124b25b299b3505fe\r\n64a876e6cb3cf3122febc84a00ec3e0740c054cff955164971c470e1b5e5f1bb\r\nd4ac82de8dda9796579cd8ea0f84b43c7a980cdb0e9cdb8abe8981a2d215ed2f\r\n(20c34b5f0983021414b168913c3da267caf298d8f0f5e3ec0ce97db5f4f48316 Corrupt)\r\nDLL\r\n268c72f5482374660a132d1b91cac0c04b4724a214db4f052eb421e36c282921\r\n0a4bbb998bd3a3bcc72cf759689a5656dc74590b731d0affbfc317cf484ed28b\r\n79c64d2e77acdbcdbd35cbb29497941335d7e3ab6ebb474064f095e745f0d643\r\n7f22305679e46e1fd5043beb136108197c0921643ce0d680f990a3018ade485b\r\n594d907855d35ee7689a568e4ac43e4e0ed90de047d91b0253ef79da71ecbc08\r\n1f3b041eee1ece8cf6aa5c742aeb8c0ac2266cccecca7888772509227c4f8669\r\n514933468ac1dd9f7db4e2693f1be7f84deb35c33f8f9934fad32caaae9ef611\r\n7a5b26f6dd7b8e0d648e9804ec932603b7d7a5f76c7a8c537ab0c2be54f51fa9\r\n8b1b9a789136ca3abe25938204845c351aaf0c97c0708ade8d4d8ba4ded95ba7\r\n1ad1f2eec961bc7a35abeac486f843b7caece0929b13f1dab47fbdc0406ac4e3\r\n4c1ea827713f1eb57cc0e8e9d171d4e21d116f846b174bc05114eef5674c9653\r\n1a342426d59e7fdc4abfb74c2225f68382172e03b0f8d496a57ae647411f0fbd\r\n2ce73cbfab0beb3663c0151ba7c310e4dbf69f295d8a18114435506483d774ac\r\n0a4bbb998bd3a3bcc72cf759689a5656dc74590b731d0affbfc317cf484ed28b\r\n514933468ac1dd9f7db4e2693f1be7f84deb35c33f8f9934fad32caaae9ef611\r\n76ac08358f230bca3e8b8448b3c177094aeac25402b929f5f73869ec77173a44\r\nSource: https://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nhttps://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan"
	],
	"report_names": [
		"winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434879,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b89fbf3b0f09cb041be6194badc50bda69b9209.pdf",
		"text": "https://archive.orkl.eu/6b89fbf3b0f09cb041be6194badc50bda69b9209.txt",
		"img": "https://archive.orkl.eu/6b89fbf3b0f09cb041be6194badc50bda69b9209.jpg"
	}
}