Get started
Winos 4.0 Malware Target Users in Taiwan

Winos4.0 is an advanced malware framework. It was distributed through gaming-related applications, and as of January 2025 campaign, it spread via an email masquerading as from Taiwan's National Taxation Bureau.

Winos 4.0 Malware Target Users in Taiwan
Introduction

In January 2025, an advanced malware framework named Winos 4.0 turned up in both gaming-app bundles and a deceptively official email. By the time traditional feeds caught on, Cypex AIM had already flagged its infrastructure—giving our clients crucial lead time.

Get the full report
Infection Vectors
  • Gaming-Related Applications: Installers silently bundled the Winos 4.0 payload.
  • Tax-Inspection Lure: An email spoofed as Taiwan’s National Taxation Bureau, with a ZIP claiming to list enterprises due for inspection and urging recipients to forward it to their treasurer.
Technical Breakdown

Infection Chain

  • ZIP → Malicious DLL → Shellcode: The attached ZIP unpacked a DLL that ran an initial shellcode.
  • Embedded C2 IPs: That shellcode contained C2 server IPs and downloaded a secondary shellcode.
  • Fortinet’s Public Report (Feb 27, 2025): Listed several C2 IP addresses, domain names (e.g. twzfw[.]vip) and hashes.

Cypex AIM Findings

  • New IP Discovery

    twzfw[.]vip resolves uniquely to 103.127.219[.]121, an address not in Fortinet’s report.

  • Reputation Check

    No traditional threat-intel vendor marked that IP as suspicious or malicious.

  • Reverse DNS Insight

    103.127.219[.]121 also resolves to hohodaodao[.]synology[.]com.

  • Early Risk Scoring - Feb 2, 2025

    Cypex AIM assigned a Medium Risk score—five days before the domain mapping appeared on Feb 7.

  • Mar 7, 2025

    Our dynamic scoring engine lowered the risk once activity subsided.

  • Expanded IOC Set:

    We surfaced 8 additional IPs showing similar behavioral fingerprints and recommended clients create rules to monitor or block them.

  • Disposable-Mail Usage

    Observed ephemeral email services used in domain registrations, indicating throwaway infrastructure.

image
About the Cypex AIM Platform

1. High-Level Architecture

  • Passive Sensor Network: Human-behavior sensors across data centers, VPNs, TOR/I2P and select ISPs capture real traffic, banners and protocol handshakes.
  • Active Scanning Grid: Daily IPv4 sweeps on 3,000+ TCP/UDP ports extract banners, CPE metadata, SSH keys and TLS certificates.
  • Domain Intelligence Collectors: Continuous FQDN harvesting (DNS resolvers, CT logs) plus weekly zone-wide DNS record pulls and WHOIS tracking.

2. Central CTI Data Lake

  • A multi-tenant, schema-driven store of raw and normalized feeds with full provenance and “first seen/last seen” metadata.

3. Analytics & Scoring Engine

  • Static Features: WHOIS age, lexical entropy, DNS/TLS anomalies, hosting/IP attributes.
  • Behavioral Features: Traffic spikes, honeypot-captured activity, bot vs. human tagging.
  • ML & Graph Correlation: Phishing, malware and DGA classifiers plus graph-based risk propagation across shared infrastructure.

4. Real-Time API & Dashboard

  • Lookup Endpoints: Domain/IP queries return risk score, tags, related assets and historical changes.
  • Bulk & Webhook Integrations: CSV/API exports, customizable webhook alerts and SIEM/SOAR connectors.
  • Interactive Dashboard: KPIs, time-series histograms, world-map choropleths and a “human vs. bot” traffic slider.

5. Custom Alerts & Playbooks

  • Define rules (e.g. “new .vip domain <15 days old resolving in my network”) and receive email/SMS/webhook notifications the moment they trigger.
Conclusion

The Winos 4.0 campaign shows how blending passive behavior telemetry, aggressive active scanning and dynamic risk scoring can unmask hidden malware infrastructure well before it hits public blocklists. Cypex AIM not only flagged core C2 nodes early but also enriched the IOC set for our clients—shrinking their window of exposure. Reach out for a demo and see how proactive infrastructure monitoring can bolster your defenses.

Curious to learn more?
Submit your request, and we'll gladly provide you with a personalized product presentation
Thank you for your request
Thank you for your request.
We've received your request, we will contact you soon.