Rising Cross-Border Phishing Attacks Sweep Across Asia

Recent investigations reveal that a series of coordinated cyberattacks targeting Chinese-speaking individuals across the Asia-Pacific region can be traced back to a single threat actor. Researchers announced that these attacks, utilizing a remote access trojan, have been noted across various countries, including China, Taiwan, Japan, and Malaysia.

A prominent aspect of this campaign is the use of the HoldingHands Trojan, coupled with sophisticated obfuscation techniques. The attacks show a commonality in relying on Tencent Cloud storage, which serves as a foundation for hosting malicious payloads. Initially identified by researchers from Fortinet in January 2025, a malware variant called Winos 4.0 was used in attacks aimed at Taiwan.

However, by February, the perpetrator shifted tactics, deploying new malware families to broaden their targets throughout Asia. According to Fortinet, the focus on Chinese speakers has intensified, with variants bearing Chinese names frequently detected on VirusTotal, indicating a strategic mandate for regional intelligence gathering.

The attacks primarily leverage phishing tactics, wherein malicious emails containing PDFs impersonate official communications from government entities, such as ministries of finance. These documents include multiple embedded links, predominantly hosted on Tencent Cloud, that facilitate the tracking of various malicious file clusters back to the same threat actor.

Some of the phishing attempts involved documents posing as government orders or tax regulation drafts. In one instance, a document aimed at Taiwan directed victims to a Japanese-language website, leading to a ZIP file containing an executable associated with the HoldingHands payload—an intentional multilingual approach to furrowing confusion among users in diverse locales.

Technical indicators suggest that the attacks in Japan and Taiwan share key connections, such as a common command-and-control IP address, which facilitated the attackers’ efforts to evade detection using executables with legitimate digital signatures. Recent campaigns against Malaysia have unveiled the same infrastructure utilized in earlier operations. Notably, the domain linked to Taiwanese phishing attacks resolved to this same IP, indicating adapted strategies in newer campaigns.

Unlike earlier attack versions that prompted direct file downloads, the latest variant of HoldingHands employs Windows Task Scheduler for subsequent attack stages, complicating detection efforts. This indirect execution increases the risk of evasion as malicious activities blend in with legitimate system processes, complicating forensic investigation at a critical point.

The attack flow begins with a malicious executable disguised as a “tax audit document,” which triggers a tampered library to establish a malicious environment, perform anti-virtual machine checks, and initiate privilege escalation by impersonating Windows’ TrustedInstaller service. This method showcases advanced use of persistence tactics and privilege escalation techniques that align with the MITRE ATT&CK Matrix, specifically highlighting initial access and persistence methods.

The malware further exhibits a sophisticated ability to recognize installed antivirus software, with programmed responses based on specific detections, enhancing its stealth. After establishing its presence, the attack chain utilizes altered system files to load encrypted shellcode, ultimately delivering the HoldingHands payload. This updated version allows attackers to change their command-and-control IP remotely via Windows registry entries, showcasing their adaptability to maintain persistence while minimizing exposure.

Ultimately, this campaign underscores ongoing risks related to regional intelligence collection strategies, utilizing dynamic infrastructure updates and indirect execution to bolster persistence. The evolution of these tactics illustrates a significant trend in threat actor behaviors, calling for heightened vigilance and enhanced security measures among businesses operating in or catering to the Asia-Pacific market.