Winos 4.0 malware spreads via tax authority scam

Cybercriminals disguise as Taiwan’s tax authority to spread Winos 4.0 malware

A sophisticated cyberattack targeting Taiwanese businesses has been uncovered, with threat actors impersonating Taiwan’s tax authority to distribute the Winos 4.0 malware. This campaign, recently discovered by Fortinet’s FortiGuard Labs, is the latest example of cybercriminals leveraging social engineering tactics to infiltrate organizations under the guise of legitimate institutions.

The attack strategy

The attackers behind this campaign employ phishing emails disguised as official tax documents from Taiwan’s tax authority. The emails contain malicious attachments that, when opened, deploy Winos 4.0 malware onto the victim’s system. This malware is designed to evade detection while establishing persistence within the network, allowing attackers to exfiltrate sensitive data and potentially escalate their access.

This method of attack is not new but remains highly effective, as cybercriminals continue refining their tactics. By impersonating government agencies, they exploit the inherent trust users have in official communications, increasing the likelihood of successful infections.

Want to better understand how malware works and how to protect yourself? Explore our guide on malware.

Winos 4.0 malware: a growing threat

Winos 4.0 is a sophisticated strain of malware known for its modular design, enabling attackers to customize its functionality based on their objectives. It supports remote command execution, data theft, and further payload deployment, making it a versatile tool for cyber espionage and financial crimes.

Fortinet’s researchers indicate that this malware is being used in targeted attacks rather than widespread campaigns, suggesting that the threat actors are operating with a strategic focus on high-value targets in Taiwan’s corporate sector.

Discovery and disclosure

Before the public release of this information, researchers shared their findings with Hackread.com, revealing that the campaign was first detected in January 2025 and shortly thereafter deployed. This timeline underscores the need for organizations to adopt proactive security measures without delay.

Attribution and possible threat actors

While no definitive attribution has been made, cybersecurity experts suspect that this campaign may be linked to an advanced persistent threat (APT) group with interests in Taiwan. The use of Winos 4.0, combined with the strategic nature of the attacks, suggests a well-funded operation possibly backed by a nation-state or a highly organized cybercriminal group. Want to understand how these long-term cyber threats operate? Explore how advanced persistent threats (APTs) work and their impact on global cybersecurity.

Mitigation and protection strategies

Given the sophistication of this campaign, businesses and government institutions in Taiwan and beyond must take proactive steps to mitigate the risk of infection:

• Employee awareness training: Organizations should educate their employees on phishing tactics and how to verify official communications. Regular cybersecurity training can help employees recognize threats, while phishing simulations provide hands-on experience in identifying and avoiding scams.

• Email security solutions: Deploying robust email filtering systems can help block phishing attempts before they reach inboxes.

• Endpoint protection: Advanced threat detection solutions should be used to identify and mitigate malware before it spreads.

• Zero trust architecture: Implementing a Zero Trust security model can limit the damage an attacker can inflict if they gain access to a network.

The bigger picture

This attack highlights the evolving landscape of cyber threats, where impersonation and targeted malware campaigns remain a preferred strategy for cybercriminals. As Taiwan continues to be a hotspot for cyber espionage and financially motivated attacks, organizations must bolster their defenses and stay ahead of emerging threats.