The Winos 4.0 campaign represents a sophisticated malware operation primarily targeting Taiwanese organizations through phishing emails themed around local business processes such as tax audits and electronic invoicing. The malware, also known as ValleyRat, employs multiple advanced infection and evasion techniques. Initial infection vectors include malicious LNK shortcut files that execute payloads when opened, and DLL sideloading, which abuses legitimate Windows binaries to load malicious DLLs stealthily. Additionally, the campaign uses Bring Your Own Vulnerable Driver (BYOVD) attacks, where attackers load vulnerable or malicious drivers to gain kernel-level privileges, bypassing security controls like UAC. Once inside the system, Winos 4.0 uses driver loading to maintain persistence and process termination techniques to disable antivirus and endpoint detection and response (EDR) tools, complicating detection and remediation efforts. The campaign is attributed to a subgroup of the Silver Fox APT, known for targeting East Asian entities with localized social engineering lures and evolving malware capabilities. The attackers maintain consistent infrastructure, including domains and IP addresses, and reuse development identifiers, indicating a well-resourced and persistent threat actor. The campaign has been active since at least January 2026 and continues to evolve, posing ongoing risks to targeted organizations. Indicators of compromise include specific file hashes, IP addresses, and domains linked to the campaign, which can be used for detection and blocking. Despite no known public exploits, the campaign's complexity and targeted approach make it a significant threat to Taiwan's business and governmental sectors.

The Winos 4.0 campaign poses substantial risks to organizations in Taiwan, particularly those in finance, government, and sectors reliant on electronic invoicing and tax-related processes. Successful compromise can lead to unauthorized access to sensitive financial and business data, intellectual property theft, and potential disruption of critical business operations. The malware's ability to bypass UAC and disable security software increases the likelihood of prolonged undetected presence, enabling attackers to conduct espionage, data exfiltration, or deploy additional payloads such as ransomware. The use of BYOVD attacks elevates the threat by granting kernel-level access, which can undermine system integrity and complicate incident response. The localized phishing themes increase the success rate of social engineering, making employees more susceptible to infection. Globally, organizations with business ties to Taiwan or those using similar business processes could face indirect risks if attackers expand targeting. The campaign's persistence and sophistication highlight the threat actor's capability to adapt and maintain long-term access, potentially leading to significant financial and reputational damage for affected entities.

Organizations should implement targeted defenses against phishing by training employees specifically on recognizing localized social engineering tactics related to tax audits and e-invoices. Deploy advanced email filtering solutions that inspect attachments and URLs for malicious LNK files and archive formats like .rar and .7z. Monitor and restrict the execution of LNK files and unknown DLLs, especially those loaded via sideloading techniques. Employ application whitelisting to prevent unauthorized driver loading and use endpoint detection tools capable of identifying BYOVD attack patterns and kernel-level anomalies. Regularly audit and harden User Account Control (UAC) settings to reduce bypass risks. Maintain updated threat intelligence feeds to block known malicious domains, IPs, and file hashes associated with this campaign. Conduct frequent security assessments focusing on persistence mechanisms and process termination behaviors indicative of malware activity. Implement network segmentation to limit lateral movement and monitor for unusual outbound traffic to suspicious infrastructure. Finally, establish incident response plans that include forensic capabilities to detect and remediate advanced persistent threats with kernel-level access.