2025-10-17 Tracking Malware and Attack Expansion A Hacker Group's Journey across Asia

📃Title: Tracking Malware and Attack Expansion: A Hacker Group’s Journey across Asia
📅Date: 2025-10-17
🔗References:

• https://www.fortinet.com/blog/threat-research/tracking-malware-and-attack-expansion-a-hacker-groups-journey-across-asia

Description

FortiGuard Labs has traced a hacker group’s evolving campaigns across Asia, starting with Winos 4.0 attacks in Taiwan and expanding to Japan and Malaysia. The group employs phishing emails with malicious PDFs and evolving malware delivery tactics. They’ve shifted from using cloud storage links to custom domains for malware distribution. The latest campaign in Malaysia uses a multi-stage attack flow, leveraging the Windows Task Scheduler for stealth. The malware, identified as HoldingHands, has been updated with new features, including the ability to update C2 IP addresses via registry entries. The attackers have demonstrated adaptability in their techniques while maintaining some consistent patterns, allowing researchers to link seemingly unrelated attacks.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: broad-based
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer Fortinet
• target-information=“China”
• target-information=“Japan”
• target-information=“Malaysia”
• target-information=“Taiwan”
• mitre-attack-pattern=[‘T1082’, ‘T1071’, ‘T1053’, ‘T1140’, ‘T1036’, ‘T1055’, ‘T1112’, ‘T1016’, ‘T1059’, ‘T1083’, ‘T1497’, ‘T1204’, ‘T1057’, ‘T1566’, ‘T1574’, ‘T1027’, ‘T1012’, ‘T1134’, ‘T1105’]

MISP event uuid: 23d3c0be-cc64-4844-b0d2-d157f0f5da5e

Indicator of Compromise (IoCs)

type,value,comment
ip-dst, 154.91.64.45, ''
ip-dst, 206.238.199.22, ''
ip-dst, 206.238.221.244, ''
sha256, 031c916b599e17d8cfa13089bddafc2436be8522f0c9e479c7d76ba3010bbd18, 'No sample in VT\r\nLast check:20/10/2025'
sha256, 0db506d018413268e441a34e6e134c9f5a33ceea338fc323d231de966401bb2c, 'No sample in VT\r\nLast check:20/10/2025'
sha256, c6095912671a201dad86d101e4fe619319cc22b10b4e8d74c3cd655b2175364c, 'No sample in VT\r\nLast check:20/10/2025'
sha256, fb9c9ed91fc70f862876bd77314d3b2275069ca7c4db045e5972e726a3e8e04c, 'No sample in VT\r\nLast check:20/10/2025'
ip-dst, 156.251.17.12, ''
ip-dst, 156.251.17.9, ''
ip-dst, 206.238.221.182, ''
ip-dst, 38.60.203.110, ''
url, http://twsww.xin/download.html, ''
url, http://twswzz.xin/index.html, ''
domain, gjqygs.cn, ''
domain, jpjpz1.cc, ''
domain, jpjpz1.top, ''
domain, jppjp.vip, ''
domain, twczb.com, ''
domain, twsww.xin, ''
domain, twswzz.xin, ''
domain, zcqiyess.vip, ''
domain, zxp0010w.vip, ''

Full IOCs available in Rectifyq's MISP```