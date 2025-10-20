According to Security Affairs, the Winos 4.0 (ValleyRAT) cyber espionage campaign has expanded its operations from China and Taiwan to Japan and Malaysia. Threat actors are distributing the HoldingHands RAT malware through fake Finance Ministry PDFs.

The attackers are using phishing emails with PDF attachments that contain malicious links, posing as official documents from the Ministry of Finance. These links lead to the distribution of the Winos 4.0 malware. The campaign has progressed to utilize Tencent Cloud for hosting malicious files, with unique account IDs connecting multiple phishing files to the same threat operators. The attackers have also transitioned from cloud storage links to custom domains, focusing on Taiwan. One PDF redirects users to a Japanese-language site to deliver the HoldingHands payload.

The cybercriminals orchestrating this campaign are employing advanced tactics to avoid detection, such as digitally signing EXE files and employing complex multi-stage flows to deliver the HoldingHands malware. Through analyzing infrastructure, code reuse, and behavioral patterns, security researchers have identified connections between attacks in various countries. This underscores the significance of maintaining cybersecurity awareness and fostering international cooperation to counter such evolving threats.

Source: Security Affairs