FortiGuard Labs has tracked a persistent hacker group conducting malware campaigns across Asia, beginning with Winos 4.0 attacks in Taiwan and expanding operations to Japan and Malaysia. The group’s primary infection vector is phishing emails containing malicious PDF attachments. Initially, malware payloads were distributed via cloud storage links, but the attackers evolved to using custom domains, improving control and evasion. The latest campaign in Malaysia employs a multi-stage attack flow that leverages the Windows Task Scheduler to execute malware stealthily, reducing detection likelihood. The malware, identified as HoldingHands, has been updated with new features, including the ability to dynamically update its command-and-control (C2) server IP addresses through registry entries, enhancing its persistence and adaptability. The attackers maintain some consistent tactics, techniques, and procedures (TTPs), such as phishing (T1566), use of task scheduler (T1053), and registry manipulation (T1112), which have allowed researchers to link seemingly unrelated attacks across different countries. While no known exploits are currently active in the wild, the campaign demonstrates a sophisticated approach combining social engineering, multi-stage payload delivery, and stealth persistence mechanisms. The threat is classified as medium severity due to its potential impact and complexity of attack flow.

For European organizations, this threat could lead to unauthorized access, data exfiltration, and persistent footholds within networks if phishing emails are successful. The use of multi-stage attacks and stealthy execution via Windows Task Scheduler complicates detection and response efforts, potentially allowing attackers to maintain long-term access. The ability of the malware to update C2 IP addresses dynamically via registry entries increases its resilience against takedown efforts. European entities with business ties or subsidiaries in Asia, or those using similar Windows environments and email communication patterns, could be targeted or face spillover attacks. The phishing vector poses a significant risk to user credentials and network integrity, while the stealth techniques may delay incident detection, increasing potential damage. Although no active exploits are reported, the evolving tactics suggest the group could adapt to new targets, including European organizations, especially in sectors with valuable intellectual property or critical infrastructure.

European organizations should implement advanced email filtering solutions capable of detecting malicious PDFs and phishing attempts, including sandboxing attachments and blocking suspicious domains. Monitoring and alerting on unusual Windows Task Scheduler activity is critical, as attackers use scheduled tasks for stealthy execution. Regular auditing of Windows registry changes, especially those related to network configurations and persistence mechanisms, can help detect malware updates such as C2 IP modifications. Endpoint detection and response (EDR) tools should be tuned to identify behaviors associated with multi-stage malware deployment and lateral movement techniques. User awareness training focused on phishing risks and suspicious attachments remains essential. Network segmentation and strict outbound traffic controls can limit malware communication with C2 servers. Incident response plans should include procedures for rapid containment and forensic analysis of stealthy malware. Finally, organizations should track threat intelligence feeds for updates on this group’s evolving tactics and indicators of compromise (IOCs).