HoldingHands RAT

The threat actors behind the Winos 4.0 malware family (also tracked as ValleyRAT) have extended their operations beyond China and Taiwan to target Japan and Malaysia. In these recent campaigns, the group delivered a second remote-access trojan (RAT) identified as HoldingHands (aka Gh0stBins), using socially engineered phishing documents as the primary vector.

How The Campaign Spreads

Attackers distribute the malware through phishing emails that include PDF attachments with embedded malicious links. The PDFs impersonate official communications — in some cases, posing as Ministry of Finance documents — and contain multiple links, only one of which leads to the malicious download. In other incidents, the lure is a web page (for example, a Japanese-language page hosted at a URL like 'twsww[.]xin/download[.]html') that prompts victims to fetch a ZIP archive containing the RAT.

Distribution Methods And Attribution

Winos 4.0 is commonly propagated via phishing and SEO-poisoning campaigns that redirect victims to bogus download pages posing as legitimate software (examples observed include counterfeit installers for Google Chrome, Telegram, Youdao, Sogou AI, WPS Office, and DeepSeek). Security researchers link the use of Winos to an aggressive cybercriminal cluster known variously as Silver Fox, SwimSnake, Valley Thief (The Great Thief of Valley), UTG-Q-1000, and Void Arachne. In September 2025, researchers reported this actor abusing a previously undocumented vulnerable driver bundled with a vendor product called WatchDog Anti-malware in a BYOVD (Bring Your Own Vulnerable Driver) technique to disable endpoint protection. Earlier (August 2025), the group employed SEO poisoning to spread HiddenGh0st and Winos modules, and June reporting documented Silver Fox using booby-trapped PDFs to stage multi‑step infections that ultimately deployed HoldingHands RAT. Historic lures include taxation-themed Excel files used against China going back to March 2024; recent efforts shifted to Malaysian-targeted phishing landing pages.

Multi-stage Infection And Persistence

The infection typically begins with an executable masquerading as an excise audit or other official document. That executable sideloads a malicious DLL, which acts as a shellcode loader for a payload named 'sw.dat.' The loader performs several anti-analysis and defensive actions — anti-VM checks, scanning running processes for known security products and terminating them, escalating privileges, and disabling the Windows Task Scheduler — before handing control to subsequent stages.

Files observed dropped to the system:

• svchost.ini — contains the RVA for VirtualAlloc.
• TimeBrokerClient.dll (the legitimate TimeBrokerClient.dll renamed to BrokerClientCallback.dll).
• msvchost.dat — encrypted shellcode.
• system.dat — encrypted payload.
• wkscli.dll — unused/placeholder DLL.

Task Scheduler Trigger And Stealthy Activation

Rather than relying on an explicit process launch, the campaign leverages Windows Task Scheduler behavior: Task Scheduler runs as a service under svchost.exe and by default is configured to restart shortly after failure. The malware alters files so that when the Task Scheduler service restarts, svchost.exe loads the malicious TimeBrokerClient.dll (renamed BrokerClientCallback.dll). That DLL allocates memory for the encrypted shellcode using the VirtualAlloc address stored in svchost.ini, then causes msvchost.dat to decrypt system.dat and extract the HoldingHands payload. This 'service restart → DLL load' trigger reduces the need for direct process execution and complicates behavior-based detection.

Privilege Escalation To TrustedInstaller

To gain the permissions necessary to rename and replace protected system components (for example, renaming the genuine TimeBrokerClient.dll), the loader impersonates high-privilege system accounts. The sequence observed is:

• Enable SeDebugPrivilege to access the Winlogon process and its token.
• Adopt the Winlogon token to run as SYSTEM.
• From SYSTEM, acquire a TrustedInstaller security context — the account used by Windows Resource Protection to guard critical OS files.
• Using that TrustedInstaller context, the malware can modify protected files in C:\Windows\System32 (an action normally restricted even for administrators).

How The Payload Executes And Maintains Control

The malicious TimeBrokerClient component allocates memory per the RVA in svchost.ini, places the decrypted shellcode from msvchost.dat there, and runs it. The decrypted payload unpacks HoldingHands, which then establishes communications with a remote command-and-control (C2) server. Observed capabilities include:

• Sending host information to the C2.
• Sending heartbeat messages every 60 seconds to keep the channel alive.
• Receiving and executing remote commands (data theft, arbitrary command execution, fetching additional payloads).
• An added feature allowing the operator to update the C2 address via a Windows Registry entry.

Targeting, Language Focus, And Likely Motive

Recent samples and lures indicate a focus on Chinese-language victims, though the geographic scope now includes Japan and Malaysia. The operational patterns — reconnaissance, regional targeting, stealthy persistence, and modular backdoor functionality — point to intelligence collection in the region, with implants frequently left dormant pending further instructions.

Summary

Silver Fox-linked operators have expanded Winos 4.0 activity and added HoldingHands RAT to their toolset, using polished social-engineering (PDFs and SEO-poisoned pages) and a sophisticated multi-stage execution chain that abuses Task Scheduler behavior and TrustedInstaller privileges to persist and evade detection. The operation's capabilities and targeting suggest a focused regional intelligence collection effort with long-lived, modular implants waiting for operator commands.