Threat Group Targets Companies in Taiwan

    Date: 06/18/2025

    Severity: Medium

    Summary

    In early 2025, a threat group launched a targeted malware campaign against users in Taiwan, distributing the Winos 4.0 malware via phishing emails disguised as official messages from Taiwan's National Taxation Bureau. By March 2025, the campaign expanded to include links reused from previous attacks. The group also deployed variants of the HoldingHands RAT (also known as Gh0stBins), typically delivered through ZIP file attachments in phishing emails. This ongoing campaign highlights a persistent effort to compromise organizations in Taiwan using evolving malware tactics.

     Indicators of Compromise (IOC) List 

    URL/Domains

    00-1321729461.cos.ap-guangzhou.myqcloud.com

    6-1321729461.cos.ap-guangzhou.myqcloud.com

    twzfte-1340224852.cos.ap-guangzhou.myqcloud.com

    cq1tw.top

    twcz.pro

    twczb.com

    twnc.ink

    twnic.icu

    twnic.ink

    twnic.ltd

    twnic.xin

    twsa.top

    twsw.cc

    twsw.club

    twsw.info

    twsw.ink

    twsw.ltd

    twsw.pro

    twsww.vip

    twsww.xin

    twswz.top

    twswzz.xin

    twtgtw.net

    twzfw.vip

    IP Address

    154.91.85.204

    154.86.22.47

    156.251.17.17

    206.238.179.173

    206.238.220.60

    206.238.199.22

    154.91.85.201

    206.238.221.182

    206.238.196.32

    154.91.64.45

    206.238.115.207

    156.251.17.12

    107.149.253.183

    Hash

    6558dfb070421c674b377a0a6090593fa0c44d5b0dec5325a648583f92175ce2

    d3a270d782e62574983b28bd35076b569a0b65236e7f841a63b0558f2e3a231c

    a8430ce490d5c5fab1521f3297e2d277ee7e7c49e7357c208878f7fd5f763931

    7d3f352ded285118e916336da6e6182778a54dc88d4fb7353136f028ac9b81e0

    143f434e3a2cac478fb672b77d6c04cdf25287d234a52ee157f4f1a2b06f8022

    c25e80cd10e7741b5f3e0b246822e0af5237026d5227842f6cf4907daa039848

    7263550339c2a35f356bb874fb3a619b76f2d602064beada75049e7c2927a6dc

    a8b6c06daeede6199e69f4cafd79299219def5bf913a31829dede98a8ad2aaa9

    6fcd6aef0678d3c6d5f8c2cb660356b25f68c73e7ee24fbb721216a547d17ffa

    ed72721837c991621639b4e86ffe0c2693ef1a545741b5513d204a1e3e008d8c

    65edd9e1a38fd3da79c8a556eb2c7c595125ffec9f7483e2e6e189a08cc5d412

    0a0375648bc9368bccfd3d657d26976d5b1f975381d1858d001404d807334058

    e809582faccdd27337aa46b4a11dd11f5d0c7d7428ebdc8c895ea80777e4da5f

    59d2433264d8ec9e9797918be3aa7132dbeb71e141f6e5c64c0d6f1cb4452934

    ac957ba4796f06c4bf0c0afb8674bbeb30eb95cef85bc68ced3ee1aa30e3acff

    9296adb71bc98140a59b19f68476d45dbb38cc60b9e263d07d14e7178f195989

    636c2ccffce7d4591b0d5708469070b839f221400b38189c734004641929ae05

    31ffa4e3638c9e094275051629cc3ac0a8c7d6ae8415bbfcacc4c605c7f0df39

    da3deea591b59b1a0f7e11db2f729a263439a05f3e8b0de97bbac99154297cea

    e2269b38655a4d75078362856c16594e195cd647c56b8c55883b8e1286baa658

    52632d9e24f42c4651cf8db3abc37845e693818d64ab0b11c235eddf8e011b2f

    7200155f3e30dbbd4c4c26ce2c7bd4878ab992b619d80b43c0bd9e17390082fc

    e516b102a2a6001eafb055e42feb9000691e2353c7e87e34ddaa99d7d8af16fd

    a9ddd4e4d54336ce110fdc769ff7c4940f8d89b45ee8dc24f56fc3ea00c18873

    a12d17cca038cdbf79b72356e5d20b17722c7b20bd2ee308601bac901890f3f4

    b1ac2178c90c8eafd8121d21acbae7a0eb0cbc156d4a5f692f44b28856a23481

    a6c1629b4450f713b02d24f088c4f26b0416c6a7924dcf0477425f3a67a2e3ff

    3ce81c163ddedb132116cdf92aae197ced0b94f3fc3d1036f5c41b084a256a03

    a19fdfc131e8fbe063289c83a3cdefb9fb9fb6f1f92c83b892d3519a381623db

    db15f45f69f863510986fb2198a8a6b3d55d8ccc8a2ed4bb30bc27bdd1bf151c

    bf1a7938f61a9905e1b151c7a5f925a2ce3870b7c3e80f6e0fc07715bdc258b7

    f42c6949c6d8ecf648bacca08cde568f11ec2663221a97dae5fbf01218e8775a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "twswz.top" or siteurl like "twswz.top" or url like "twswz.top" or domainname like "twnic.ltd" or siteurl like "twnic.ltd" or url like "twnic.ltd" or domainname like "twnic.xin" or siteurl like "twnic.xin" or url like "twnic.xin" or domainname like "twsw.ink" or siteurl like "twsw.ink" or url like "twsw.ink" or domainname like "cq1tw.top" or siteurl like "cq1tw.top" or url like "cq1tw.top" or domainname like "twcz.pro" or siteurl like "twcz.pro" or url like "twcz.pro" or domainname like "twsw.info" or siteurl like "twsw.info" or url like "twsw.info" or domainname like "twsw.ltd" or siteurl like "twsw.ltd" or url like "twsw.ltd" or domainname like "twnic.ink" or siteurl like "twnic.ink" or url like "twnic.ink" or domainname like "twczb.com" or siteurl like "twczb.com" or url like "twczb.com" or domainname like "twnic.icu" or siteurl like "twnic.icu" or url like "twnic.icu" or domainname like "twsww.xin" or siteurl like "twsww.xin" or url like "twsww.xin" or domainname like "twsw.club" or siteurl like "twsw.club" or url like "twsw.club" or domainname like "twswzz.xin" or siteurl like "twswzz.xin" or url like "twswzz.xin" or domainname like "twtgtw.net" or siteurl like "twtgtw.net" or url like "twtgtw.net" or domainname like "00-1321729461.cos.ap-guangzhou.myqcloud.com" or siteurl like "00-1321729461.cos.ap-guangzhou.myqcloud.com" or url like "00-1321729461.cos.ap-guangzhou.myqcloud.com" or domainname like "6-1321729461.cos.ap-guangzhou.myqcloud.com" or siteurl like "6-1321729461.cos.ap-guangzhou.myqcloud.com" or url like "6-1321729461.cos.ap-guangzhou.myqcloud.com" or domainname like "twzfte-1340224852.cos.ap-guangzhou.myqcloud.com" or siteurl like "twzfte-1340224852.cos.ap-guangzhou.myqcloud.com" or url like "twzfte-1340224852.cos.ap-guangzhou.myqcloud.com" or domainname like "twnc.ink" or siteurl like "twnc.ink" or url like "twnc.ink" or domainname like "twsa.top" or siteurl like "twsa.top" or url like "twsa.top" or domainname like "twsw.cc" or siteurl like "twsw.cc" or url like "twsw.cc" or domainname like "twsw.pro" or siteurl like "twsw.pro" or url like "twsw.pro" or domainname like "twsww.vip" or siteurl like "twsww.vip" or url like "twsww.vip" or domainname like "twzfw.vip" or siteurl like "twzfw.vip" or url like "twzfw.vip"

    Detection Query 2 : 

    dstipaddress IN ("206.238.220.60","154.91.64.45","206.238.115.207","154.91.85.204","154.86.22.47","156.251.17.17","206.238.179.173","206.238.199.22","154.91.85.201","206.238.221.182","206.238.196.32","156.251.17.12","107.149.253.183") or srcipaddress IN ("206.238.220.60","154.91.64.45","206.238.115.207","154.91.85.204","154.86.22.47","156.251.17.17","206.238.179.173","206.238.199.22","154.91.85.201","206.238.221.182","206.238.196.32","156.251.17.12","107.149.253.183")

    Detection Query 3 :

    sha256hash IN ("7200155f3e30dbbd4c4c26ce2c7bd4878ab992b619d80b43c0bd9e17390082fc","bf1a7938f61a9905e1b151c7a5f925a2ce3870b7c3e80f6e0fc07715bdc258b7","d3a270d782e62574983b28bd35076b569a0b65236e7f841a63b0558f2e3a231c","a8b6c06daeede6199e69f4cafd79299219def5bf913a31829dede98a8ad2aaa9","143f434e3a2cac478fb672b77d6c04cdf25287d234a52ee157f4f1a2b06f8022","a8430ce490d5c5fab1521f3297e2d277ee7e7c49e7357c208878f7fd5f763931","7263550339c2a35f356bb874fb3a619b76f2d602064beada75049e7c2927a6dc","db15f45f69f863510986fb2198a8a6b3d55d8ccc8a2ed4bb30bc27bdd1bf151c","ed72721837c991621639b4e86ffe0c2693ef1a545741b5513d204a1e3e008d8c","b1ac2178c90c8eafd8121d21acbae7a0eb0cbc156d4a5f692f44b28856a23481","a12d17cca038cdbf79b72356e5d20b17722c7b20bd2ee308601bac901890f3f4","59d2433264d8ec9e9797918be3aa7132dbeb71e141f6e5c64c0d6f1cb4452934","a6c1629b4450f713b02d24f088c4f26b0416c6a7924dcf0477425f3a67a2e3ff","e809582faccdd27337aa46b4a11dd11f5d0c7d7428ebdc8c895ea80777e4da5f","6fcd6aef0678d3c6d5f8c2cb660356b25f68c73e7ee24fbb721216a547d17ffa","a9ddd4e4d54336ce110fdc769ff7c4940f8d89b45ee8dc24f56fc3ea00c18873","52632d9e24f42c4651cf8db3abc37845e693818d64ab0b11c235eddf8e011b2f","f42c6949c6d8ecf648bacca08cde568f11ec2663221a97dae5fbf01218e8775a","9296adb71bc98140a59b19f68476d45dbb38cc60b9e263d07d14e7178f195989","ac957ba4796f06c4bf0c0afb8674bbeb30eb95cef85bc68ced3ee1aa30e3acff","7d3f352ded285118e916336da6e6182778a54dc88d4fb7353136f028ac9b81e0","6558dfb070421c674b377a0a6090593fa0c44d5b0dec5325a648583f92175ce2","c25e80cd10e7741b5f3e0b246822e0af5237026d5227842f6cf4907daa039848","65edd9e1a38fd3da79c8a556eb2c7c595125ffec9f7483e2e6e189a08cc5d412","0a0375648bc9368bccfd3d657d26976d5b1f975381d1858d001404d807334058","636c2ccffce7d4591b0d5708469070b839f221400b38189c734004641929ae05","31ffa4e3638c9e094275051629cc3ac0a8c7d6ae8415bbfcacc4c605c7f0df39","da3deea591b59b1a0f7e11db2f729a263439a05f3e8b0de97bbac99154297cea","e2269b38655a4d75078362856c16594e195cd647c56b8c55883b8e1286baa658","e516b102a2a6001eafb055e42feb9000691e2353c7e87e34ddaa99d7d8af16fd","3ce81c163ddedb132116cdf92aae197ced0b94f3fc3d1036f5c41b084a256a03","a19fdfc131e8fbe063289c83a3cdefb9fb9fb6f1f92c83b892d3519a381623db")

    Reference:    

    https://www.fortinet.com/blog/threat-research/threat-group-targets-companies-in-taiwan


    Tags

    MalwareWinos 4.0PhishingTaiwanHoldingHands RATRATGh0stBinsGovernment Services and FacilitiesNational Taxation Bureau

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags