Full Report
FortiGuard Labs has tracked a hacker group expanding attacks from Mainland China to Malaysia, linking campaigns through shared code, infrastructure, and tactics.
Analysis Summary
# Threat Actor: Unnamed Hacker Group (Linked by FortiGuard Labs)
## Attribution & Identity
The group is described as a "hacker group" whose activities have expanded originating from **Mainland China** and subsequently targeting regions in Asia, including Taiwan, Japan, and Malaysia. No specific threat actor name or known attribution is provided in this excerpt, only geographical origin.
## Activity Summary
The group demonstrated expanding operations throughout 2025, shifting focus across Asia:
1. **January 2025:** Observed active in Taiwan using the malware **Winos 4.0**.
2. **February 2025 Onward:** Operations shifted, utilizing different malware families like **HoldingHands**, with campaigns seen tracking from Mainland China $\rightarrow$ Taiwan $\rightarrow$ Japan $\rightarrow$ Malaysia.
The group uses highly linked campaigns, evidenced by shared code, infrastructure, and operational tactics.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails containing embedded malicious links within PDF documents.
- **Lures:** Documents impersonated official government communications, such as the Ministry of Finance, other government departments, or purchase orders/tax regulation drafts.
- **Payload Delivery (Old/Variant):** Initial delivery utilized links pointing to **Tencent Cloud storage**. Account IDs embedded in the URLs were used for attribution tracking.
- **Payload Delivery (Newer Variant):** Delivery shifted to custom domains hosting HTML pages containing download links, often hosted in ZIP files containing the final payload (EXE).
- **Evasion/Complexity:** Download ZIPs often require a decompression password, delaying analysis.
- **Malware used:** Winos 4.0 and HoldingHands.
- **Linking Campaigns:** Shared infrastructure (Tencent Cloud IDs, similar C2 IP) and overlapping naming conventions (e.g., 'tw' in domain names).
- **Known C2 IP:** 156[.]251[.]17[.]9 (linked to a HoldingHands variant).
- **Affected Platforms:** Microsoft Windows.
## Targeting
- **Sectors:** Inferred to target government-related entities (due to Ministry of Finance/government document lures) and commercial organizations (purchase order lures).
- **Geography:** Mainland China (origin), Taiwan, Japan, and Malaysia (recent expansion targets).
- **Victims:** Not explicitly named organizations, but general users within the targeted regions receiving official-looking documents.
## Tools & Infrastructure
- **Malware families used:** Winos 4.0, HoldingHands.
- **Infrastructure (C2/Distribution):**
- **Cloud Storage:** Tencent Cloud storage links (Account IDs: 1321729461, 1329400280).
- **Custom Domains (Sharing 'tw' pattern):** twsww[.]xin/download[.]html
- **C2 IP Address (Observed):** 156[.]251[.]17[.]9
- **Other IOC Domains:** zxp0010w[.]vip, gjqygs[.]cn, zcqiyess[.]vip, jpjpz1[.]cc, jppjp[.]vip, jpjpz1[.]top
- **Other IOC IPs:** 206[.]238[.]199[.]22, 206[.]238[.]221[.]244, 154[.]91[.]64[.]45, 156[.]251[.]17[.]12, 206[.]238[.]221[.]182, 38[.]60[.]203[.]110
## Implications
This actor demonstrates **strategic campaign evolution** by successfully transitioning its infrastructure and malware loader across several highly developed Asian economies (Taiwan, Japan, Malaysia) while maintaining operational links back to its suspected base in Mainland China. The shift from trusted cloud services (Tencent) to custom domains indicates an attempt to control the delivery pipeline more closely, complicating rapid takedowns. The use of embedded files within an EXE drops implies complexity aimed at bypassing static analysis.
## Mitigations
- Enhance email and endpoint defense against sophisticated phishing attempts, specifically those involving PDF documents with embedded links or macros.
- Implement **Content Disarm and Reconstruction (CDR)** solutions (like FortiGuard CDR on FortiGate/FortiMail) to neutralize malicious elements within documents without blocking legitimate content.
- Deploy **IP Reputation** and **Anti-Botnet Security Services** to proactively block known C2 infrastructure.
- Conduct organization-wide security awareness training focused on identifying and avoiding sophisticated phishing lures, such as the "[FCF Fortinet Certified Fundamentals](https://training.fortinet.com/local/staticpage/view.php?page=fcf_cybersecurity)" module mentioned.