Date: 02/23/2026
Severity: High
Summary
Labs have uncovered targeted phishing campaigns in Taiwan that exploit local business workflows. The attacks deliver Winos 4.0 (ValleyRat) and additional malicious plugins through weaponized attachments and embedded links. Lures impersonate official communications, including tax audit notices, tax software installers, and cloud e-invoice downloads. Domain registration analysis shows attackers rotate domains and abuse cloud services to distribute malware. This fast-changing infrastructure makes traditional static domain blocking ineffective as a primary defense. Recent delivery methods include malicious LNK downloaders, DLL sideloading to execute shellcode, and BYOVD attacks leveraging wsftprm.sys.
Indicators of Compromise (IOC) List
Domains\URLs: | bqdrzbyq.cn taxfnat.tw njhwuyklw.com twtaxgo.cn taxhub.tw taukeny.com taxpro.tw lmaxjuyh.cn tkooyvff.cn etaxtw.cn twswsb.cn https://twmoi2002.tos-cn-shanghai.volces.com/E-Invoice.rar https://sdfw2026024.tos-cn-shanghai.volces.com/E-Invoice.rar https://twtaxgo.cn/uploads/20260129/taxIs_RX3001.7z |
IP Address : | 47.76.86.151 |
Hash : | 64ee7a2e6259286311c8ba1c7b6d30e1e52fe78befcfd1b71b291c788f3e3e6a
156f31b37ee0d6e7f87cdc94dcd2d3b084b2e15da08bd8588e17d6bdc43159fe
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "tkooyvff.cn" or url like "tkooyvff.cn" or siteurl like "tkooyvff.cn" or domainname like "https://twtaxgo.cn/uploads/20260129/taxIs_RX3001.7z" or url like "https://twtaxgo.cn/uploads/20260129/taxIs_RX3001.7z" or siteurl like "https://twtaxgo.cn/uploads/20260129/taxIs_RX3001.7z" or domainname like "etaxtw.cn" or url like "etaxtw.cn" or siteurl like "etaxtw.cn" or domainname like "taxpro.tw" or url like "taxpro.tw" or siteurl like "taxpro.tw" or domainname like "bqdrzbyq.cn" or url like "bqdrzbyq.cn" or siteurl like "bqdrzbyq.cn" or domainname like "taxfnat.tw" or url like "taxfnat.tw" or siteurl like "taxfnat.tw" or domainname like "https://sdfw2026024.tos-cn-shanghai.volces.com/E-Invoice.rar" or url like "https://sdfw2026024.tos-cn-shanghai.volces.com/E-Invoice.rar" or siteurl like "https://sdfw2026024.tos-cn-shanghai.volces.com/E-Invoice.rar" or domainname like "njhwuyklw.com" or url like "njhwuyklw.com" or siteurl like "njhwuyklw.com" or domainname like "https://twmoi2002.tos-cn-shanghai.volces.com/E-Invoice.rar" or url like "https://twmoi2002.tos-cn-shanghai.volces.com/E-Invoice.rar" or siteurl like "https://twmoi2002.tos-cn-shanghai.volces.com/E-Invoice.rar" or domainname like "twtaxgo.cn" or url like "twtaxgo.cn" or siteurl like "twtaxgo.cn" or domainname like "taukeny.com" or url like "taukeny.com" or siteurl like "taukeny.com" or domainname like "taxhub.tw" or url like "taxhub.tw" or siteurl like "taxhub.tw" or domainname like "lmaxjuyh.cn" or url like "lmaxjuyh.cn" or siteurl like "lmaxjuyh.cn" or domainname like "twswsb.cn" or url like "twswsb.cn" or siteurl like "twswsb.cn" |
Detection Query 2 : | dstipaddress IN ("47.76.86.151") or srcipaddress IN ("47.76.86.151") |
Detection Query 3 : | sha256hash IN ("156f31b37ee0d6e7f87cdc94dcd2d3b084b2e15da08bd8588e17d6bdc43159fe","64ee7a2e6259286311c8ba1c7b6d30e1e52fe78befcfd1b71b291c788f3e3e6a")
|
Reference:
https://www.fortinet.com/blog/threat-research/massive-winos-40-campaigns-target-taiwan