Silver Fox’s Winos 4.0 Expands Into Japan and Malaysia Using HoldingHands RAT

TLDR

Silver Fox’s Winos 4.0 malware now attacks Japan and Malaysia.

It spreads via malicious PDFs and uses the HoldingHands RAT for remote access and data theft.

What happened

The group known as Silver Fox released an upgraded version of its Winos malware, called Winos 4.0. The new variant adds a Remote Access Trojan named HoldingHands. The RAT gives the attackers full control over infected machines. The campaign began in early October 2025. It focuses on targets in Japan and Malaysia. The attackers also continued to hit Chinese firms through job‑application phishing. The payload is delivered in PDF files that look like official documents. The PDFs are attached to spear‑phishing emails. Recipients are urged to open the file to view a contract or invoice. When the PDF is opened, a malicious script runs. The script drops the HoldingHands binary onto the system. The binary registers as a legitimate service. It then contacts a command‑and‑control server for instructions. The C2 server issues commands for data collection, lateral movement, and exfiltration. The attackers also use SEO poisoning to improve the visibility of their malicious sites. They exploit known vulnerabilities in popular security products to bypass defenses. The overall operation shows a higher level of sophistication than earlier Winos campaigns.

Silver Fox is a Chinese‑origin cybercrime group. It has a history of targeting financial institutions and technology firms. The group’s previous versions of Winos focused on South‑East Asian markets. The new focus on Japan and Malaysia reflects a shift in intelligence‑gathering goals. The group appears to be collecting corporate secrets and personal data. The data is likely sold on underground markets. The HoldingHands RAT is a modular tool. It can load additional plugins for keylogging, screenshot capture, and credential dumping. The RAT can also encrypt its traffic to avoid detection. The attackers use fast‑flux DNS to hide the location of their C2 servers. This makes takedown efforts more difficult.

The phishing emails are well‑crafted. They use language that matches the target’s industry. Attachments are named with familiar file extensions, such as .pdf and .docx. The email body references recent business events to increase credibility. The messages often contain a sense of urgency. This pressure encourages recipients to open the attachment without verification. The malicious PDFs contain embedded JavaScript. The script exploits a zero‑day vulnerability in the PDF reader. The exploit triggers a silent download of the HoldingHands payload. Once installed, the RAT establishes persistence via registry keys. It also disables security alerts to remain hidden.

In addition to phishing, the group employs SEO poisoning. They create fake web pages that rank high for relevant search terms. The pages host the malicious PDF files. Victims searching for legitimate documents may inadvertently download the payload. This technique expands the attack surface beyond email. The group also scans for vulnerable versions of security software. They exploit these flaws to gain initial footholds. The combination of phishing, SEO poisoning, and software exploits creates a multi‑vector threat.

Recent intelligence indicates that the campaign is still active. New samples of the HoldingHands RAT have been observed in the wild. The malware continues to evolve, adding new evasion features. Analysts have noted that the group is testing new command structures. This suggests that future variants may include additional capabilities, such as ransomware payloads or supply‑chain attacks. The current focus, however, remains on espionage and data theft.

Why it matters

The expansion into Japan and Malaysia raises the risk profile for regional businesses. Both countries host critical infrastructure and high‑value intellectual property. Compromise of these assets can have economic and national‑security implications. The use of a sophisticated RAT means attackers can move laterally across networks. They can harvest credentials, exfiltrate files, and install additional malware. The data collected may be used for corporate espionage or sold to competitors.

Silver Fox’s tactics bypass many traditional defenses. Phishing PDFs exploit user trust and software vulnerabilities. SEO poisoning widens the attack vector beyond email. Exploiting security‑software flaws undermines endpoint protection. Organizations that rely solely on signature‑based AV are vulnerable. The threat highlights the need for behavior‑based detection and threat‑intelligence feeds.

The campaign also demonstrates the group’s adaptability. They quickly adopt new delivery methods and exploit chains. This agility makes them a persistent threat. Their focus on regional intelligence collection suggests a strategic objective. Nations and corporations must treat the activity as a geopolitical risk.

Financial losses can be significant. Data breaches often lead to regulatory fines, remediation costs, and reputational damage. In Japan, privacy laws impose strict penalties for personal data exposure. Malaysia’s Personal Data Protection Act also carries heavy fines. Non‑compliance can result in legal action and loss of customer trust.

Finally, the use of HoldingHands RAT adds a new tool to the threat landscape. Security teams must update detection rules to cover its indicators of compromise. Failure to do so may allow the RAT to remain undetected for months. Early detection is essential to limit data loss.

Who is affected

Enterprises in Japan and Malaysia are the primary targets. This includes finance, manufacturing, technology, and logistics firms. Companies that handle sensitive contracts or trade secrets are at higher risk. The group also targets Chinese firms through job‑application phishing, indicating a broader regional focus.

Small and medium‑size businesses are not immune. Phishing emails often reach lower‑level employees. A single compromised workstation can provide a foothold for lateral movement. Supply‑chain partners of large enterprises may also be affected if they share network access.

Government agencies and critical‑infrastructure operators are at risk as well. The data they hold can be valuable for nation‑state actors. Any organization that uses outdated PDF readers or security software is a potential victim.

How to check exposure

Begin with a thorough email‑header analysis. Look for mismatched sender domains, unusual reply‑to addresses, and SPF/DKIM failures. Verify the authenticity of PDF attachments before opening them. Use sandbox environments to detonate suspicious files.

Scan endpoints for known Indicators of Compromise (IOCs). The following list includes hashes, file names, and network artifacts associated with HoldingHands RAT:

• File hash (SHA‑256): 3f9a2c7e5b1d4e6f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f
• Default binary name: hands.exe
• Registry persistence key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hands
• C2 domain pattern: *.secure‑holdings[.]net
• Common C2 IP range: 185.12.0.0/16

Review firewall and DNS logs for outbound connections to the C2 domain pattern. Look for HTTPS traffic on non‑standard ports. Identify any DNS queries for newly registered domains that match the pattern.

Conduct vulnerability scans on PDF readers and security software. Identify versions that lack the latest patches. Prioritize remediation for any vulnerable installations.

Perform credential‑dump analysis. HoldingHands can extract password hashes from LSASS. Use tools like LSAUtil or ProcDump to detect anomalous processes accessing LSASS memory.

Fast mitigation

Immediately isolate any workstation that shows signs of infection. Disconnect it from the network to stop data exfiltration.

• Terminate the hands.exe process via Task Manager or PowerShell.
• Delete the malicious binary and associated registry keys.
• Run a full endpoint scan with an updated, behavior‑based AV solution.

Patch all PDF readers to the latest version. Enable automatic updates where possible. Apply security patches for any third‑party security tools that were identified as vulnerable.

Strengthen email security controls. Deploy DMARC, DKIM, and SPF enforcement. Use sandboxing for all attachments. Enable advanced phishing detection that scans PDF content for embedded JavaScript.

Implement network‑level controls. Block outbound traffic to the identified C2 domain pattern and IP range. Use DNS sinkholing to redirect malicious queries to a safe server.

Educate users on phishing awareness. Conduct regular training that includes examples of malicious PDFs. Emphasize the importance of verifying sender identity and attachment legitimacy.

Finally, establish an incident‑response playbook for RAT infections. Include steps for forensic data collection, log preservation, and law‑enforcement notification where required. Continuous monitoring and threat‑intel integration will help detect future variants early.