Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan

March 5, 2025, 4:39 p.m.

Description

An advanced malware framework known as Winos4.0 was used to target companies in Taiwan in January 2025.

External References

https://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan
https://otx.alienvault.com/pulse/67c8761ab854f0391937dddc
Tags
phishing
pdf
c2 server
valleyrat
wechat
screen capture
agent
2025-03-05
team
uacme
corrupt

Date

  • Created: March 5, 2025, 4:04 p.m.
  • Published: March 5, 2025, 4:04 p.m.
  • Modified: March 5, 2025, 4:39 p.m.

Indicators

  • fed394a3653b7c6fcc1b277eda6e18eb0983a7e024be5b51e5188b3cfb9512e8
  • f4d3477a19ff468d234a5e39652157b2181c8b51c754b900bcfa13339f577e7c
  • e2b75baeb7ed21fb8f27984f941286770d1c3c0b60fce8d7fa5b167bd24ba6dc
  • dffbeefc632b20d2ef867553684e9971ab76e1223e743604a5275713423b6168
  • d4ac82de8dda9796579cd8ea0f84b43c7a980cdb0e9cdb8abe8981a2d215ed2f
  • c9a8db23d089aa71466b4bde51a51a8cfdcc28e8df33b4c63ce867bd381e5fe5
  • c55757075259fa4be6941dd273c4a4a2fcc29e6ba427dec124b25b299b3505fe
  • a067d848f099e6d1e465f9761a5b85392d550303bfa75fac920d444fd980c949
  • 8b1b9a789136ca3abe25938204845c351aaf0c97c0708ade8d4d8ba4ded95ba7
  • 7f22305679e46e1fd5043beb136108197c0921643ce0d680f990a3018ade485b
  • 7a5b26f6dd7b8e0d648e9804ec932603b7d7a5f76c7a8c537ab0c2be54f51fa9
  • 79c64d2e77acdbcdbd35cbb29497941335d7e3ab6ebb474064f095e745f0d643
  • 75a4d75c35724140149c9c5056c1bcbd328bbe1e5d1d1ef34205ed5442d2b348
  • 76ac08358f230bca3e8b8448b3c177094aeac25402b929f5f73869ec77173a44
  • 6c33715a14fdc917b5b09b6e1b5dad07bb769493eafbf7ca1023830b4059e003
  • 67395af91263f71cd600961a1fd33ddc222958e83094afdde916190a0dd5d79c
  • 64a876e6cb3cf3122febc84a00ec3e0740c054cff955164971c470e1b5e5f1bb
  • 594d907855d35ee7689a568e4ac43e4e0ed90de047d91b0253ef79da71ecbc08
  • 36afc6d5dfb0257b3b053373e91c9a0a726c7d269211bc937704349a6b4be9b9
  • 514933468ac1dd9f7db4e2693f1be7f84deb35c33f8f9934fad32caaae9ef611
  • 4c1ea827713f1eb57cc0e8e9d171d4e21d116f846b174bc05114eef5674c9653
  • 2ce73cbfab0beb3663c0151ba7c310e4dbf69f295d8a18114435506483d774ac
  • 20c34b5f0983021414b168913c3da267caf298d8f0f5e3ec0ce97db5f4f48316
  • 268c72f5482374660a132d1b91cac0c04b4724a214db4f052eb421e36c282921
  • 1a342426d59e7fdc4abfb74c2225f68382172e03b0f8d496a57ae647411f0fbd
  • 1f3b041eee1ece8cf6aa5c742aeb8c0ac2266cccecca7888772509227c4f8669
  • 1ad1f2eec961bc7a35abeac486f843b7caece0929b13f1dab47fbdc0406ac4e3
  • 0e3c9af7066ec72406eac25cca0b312894f02d6d08245a3ccef5c029bc297bd2
  • 0a4bbb998bd3a3bcc72cf759689a5656dc74590b731d0affbfc317cf484ed28b
  • 206.238.221.60
  • 43.137.42.254
  • 206.238.221.240
  • 124.156.100.172
  • 206.238.221.244
  • wrwyrdujtw114117-1336065333.cos.ap-guangzhou.myqcloud.com
  • twzfw.vip
  • sjujfde-1329400280.cos.ap-guangzhou.myqcloud.com
  • htrfe4-1329400280.cos.ap-guangzhou.myqcloud.com
  • rgghrt1140120-1336065333.cos.ap-guangzhou.myqcloud.com
  • hei-1333855056.cos.ap-guangzhou.myqcloud.com
  • fuued5-1329400280.cos.ap-guangzhou.myqcloud.com
  • ffggssa-1329400280.cos.ap-guangzhou.myqcloud.com
  • fdsjg114-1336065333.cos.ap-guangzhou.myqcloud.com
  • chakan202501-1329400280.cos.ap-guangzhou.myqcloud.com
  • 0611-1333855056.cos.ap-guangzhou.myqcloud.com
  • 0107-1333855056.cos.ap-guangzhou.myqcloud.com
  • 9010.360sdgg.com
  • 9009.360sdgg.com
  • 9007.360sdgg.com
  • 9005.360sdgg.com
  • 9006.360sdgg.com
  • 9003.360sdgg.com
  • 9002.360sdgg.com
  • 9001.360sdgg.com
  • 1234.360sdgg.com
Download all indicators here!

Attack Patterns

  • UACme
  • Agent
  • ValleyRAT