Date: 10/29/2025
Severity: Medium
Summary
In January 2025, Labs identified a series of Winos 4.0 attacks targeting users in Taiwan. By February, it became evident that the threat actor had transitioned to new malware families and broadened their operations. What initially appeared to be isolated incidents turned out to be part of a larger campaign that began in Mainland China before spreading to Taiwan, then Japan, and most recently Malaysia. The campaign primarily used phishing emails containing PDF attachments with embedded malicious links. These PDFs impersonated official Ministry of Finance documents and included multiple links—one of which delivered the Winos 4.0 malware.
Indicators of Compromise (IOC) List
Domains\URLs : | zxp0010w.vip gjqygs.cn zcqiyess.vip jpjpz1.cc jppjp.vip jpjpz1.top |
IP Address : | 206.238.199.22 206.238.221.244 154.91.64.45 156.251.17.12 206.238.221.182 38.60.203.110 |
Hash : | c138ff7d0b46a657c3a327f4eb266866957b4117c0507507ba81aaeb42cdefa9
03e1cdca2a9e08efa8448e20b50dc63fdbea0e850de25c3a8e04b03e743b983d
2b1719108ec52e5dea20169a225b7d383ad450195a5e6274315c79874f448caa
dc45981ff705b641434ff959de5f8d4c12341eaeda42d278bd4e46628df94ac5
0db506d018413268e441a34e6e134c9f5a33ceea338fc323d231de966401bb2c
031c916b599e17d8cfa13089bddafc2436be8522f0c9e479c7d76ba3010bbd18
c6095912671a201dad86d101e4fe619319cc22b10b4e8d74c3cd655b2175364c
804dc39c1f928964a5c02d129da72c836accf19b8f6d8dc69fc853ce5f65b4f3
1c4bc67ae4af505f58bd11399d45e196fc17cc5dd32ad1d8e6836832d59df6e6
fb9c9ed91fc70f862876bd77314d3b2275069ca7c4db045e5972e726a3e8e04c
8d25da6459c427ad658ff400e1184084db1789a7abff9b70ca85cf57f4320283
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1: | domainname like "gjqygs.cn" or url like "gjqygs.cn" or siteurl like "gjqygs.cn" or domainname like "zxp0010w.vip" or url like "zxp0010w.vip" or siteurl like "zxp0010w.vip" or domainname like "jppjp.vip" or url like "jppjp.vip" or siteurl like "jppjp.vip" or domainname like "jpjpz1.cc" or url like "jpjpz1.cc" or siteurl like "jpjpz1.cc" or domainname like "zcqiyess.vip" or url like "zcqiyess.vip" or siteurl like "zcqiyess.vip" or domainname like "jpjpz1.top" or url like "jpjpz1.top" or siteurl like "jpjpz1.top" |
|---|
Detection Query 2 : | dstipaddress IN ("206.238.221.244","206.238.221.182","154.91.64.45","206.238.199.22","156.251.17.12","38.60.203.110") or srcipaddress IN ("206.238.221.244","206.238.221.182","154.91.64.45","206.238.199.22","156.251.17.12","38.60.203.110") |
|---|
Detection Query 3 : | sha256hash IN ("1c4bc67ae4af505f58bd11399d45e196fc17cc5dd32ad1d8e6836832d59df6e6","dc45981ff705b641434ff959de5f8d4c12341eaeda42d278bd4e46628df94ac5","8d25da6459c427ad658ff400e1184084db1789a7abff9b70ca85cf57f4320283","2b1719108ec52e5dea20169a225b7d383ad450195a5e6274315c79874f448caa","804dc39c1f928964a5c02d129da72c836accf19b8f6d8dc69fc853ce5f65b4f3","c138ff7d0b46a657c3a327f4eb266866957b4117c0507507ba81aaeb42cdefa9","03e1cdca2a9e08efa8448e20b50dc63fdbea0e850de25c3a8e04b03e743b983d","0db506d018413268e441a34e6e134c9f5a33ceea338fc323d231de966401bb2c","031c916b599e17d8cfa13089bddafc2436be8522f0c9e479c7d76ba3010bbd18","c6095912671a201dad86d101e4fe619319cc22b10b4e8d74c3cd655b2175364c","fb9c9ed91fc70f862876bd77314d3b2275069ca7c4db045e5972e726a3e8e04c")
|
|---|
Reference:
https://www.fortinet.com/blog/threat-research/tracking-malware-and-attack-expansion-a-hacker-groups-journey-across-asia