BURSTA sophisticated threat campaign targeting Windows systems has emerged, leveraging a new strain of malware known as winos 4.0 to compromise organizations across Taiwan.
The attack, which has been active since January 2025, demonstrates the evolving tactics of cybercriminals who employ social engineering techniques combined with advanced malware deployment strategies to infiltrate corporate networks.
The threat actors behind this campaign have shown remarkable persistence and sophistication in their approach, utilizing phishing emails that masquerade as official communications from Taiwan’s National Taxation Bureau.
These deceptive messages contain malicious attachments designed to trick recipients into downloading and executing the winos 4.0 malware, which subsequently establishes a foothold in the victim’s system for further exploitation.
Fortinet analysts noted that the campaign has expanded significantly since its initial detection, with researchers identifying multiple attack vectors and payload variations throughout 2025.
The malware demonstrates advanced capabilities including privilege escalation, persistence mechanisms, and communication with command-and-control servers to receive additional instructions and modules.
.webp)
The attack chain begins with carefully crafted phishing emails that appear to originate from legitimate government agencies or business partners.
These messages typically focus on urgent topics such as tax notifications, pension updates, or invoice processing to create a sense of immediacy that compels recipients to interact with the malicious content.
The emails often contain PDF attachments or HTML files that redirect users to download pages hosting the winos 4.0 payload packaged within password-protected ZIP files.
.webp)
The impact of this campaign extends beyond individual system compromise, as the malware is designed to collect sensitive information that can be leveraged for future attacks.
Organizations affected by winos 4.0 face risks including data theft, unauthorized system access, and potential lateral movement within their networks as attackers establish persistent access points for ongoing surveillance and exploitation.
Advanced Persistence and Evasion Mechanisms
The winos 4.0 malware demonstrates sophisticated persistence tactics that enable it to maintain long-term access to compromised systems while evading detection by security software.
Once executed, the malware performs several critical operations to establish its presence within the target environment.
The initial payload, distributed through the dokan2.dll component, creates a dedicated thread responsible for decrypting and executing shellcode contained within the dxpi.txt file.
Before proceeding with its malicious activities, the malware employs the ShowWindow function to conceal the executable’s window interface, reducing the likelihood of user detection during the side-loading process.
A particularly noteworthy aspect of the malware’s persistence strategy involves its manipulation of system DLL files. The threat searches for specific files including kernel32.dll and DwhsOqnbdrr.dll by analyzing filename lengths of extracted ZIP file contents.
The filename “DwhsOqnbdrr” represents an encoded reference to the ExitProcess function, where each letter is shifted backward one position in the alphabet to obscure its true purpose.
The malware establishes registry-based persistence by creating an infection marker at the SOFTWARE\MsUpTas registry key with a State value set to 1.
Additionally, it drops multiple files to the C:\Program Files (x86)\WindowsPowerShell\Update directory, including TaskServer.exe, code.bin, msgDb.dat, and several DLL components that work together to maintain system access.
To achieve the highest privilege levels, winos 4.0 implements a multi-stage privilege escalation process.
The malware first enables the SeDebugPrivilege to bypass WinLogon access restrictions, then utilizes the ImpersonateLoggedOnUser function to assume SYSTEM privileges, and finally impersonates the TrustedInstaller service thread to obtain maximum system control.
Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.
The post Threat Actors Attacking Windows System With New Winos 4.0 Malware appeared first on Cyber Security News.