FortiGuard Labs recently observed several targeted phishing campaigns in Taiwan that use themes designed to exploit local business processes. These campaigns disseminate Winos 4.0 (ValleyRat) and subsequent malicious plugins through weaponized attachments or embedded links.
The lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads. Fortinet researchers analysis of domain registration data reveals that attackers use a rotating set of domains and cloud services to host and distribute malware. The highly volatile nature of this infrastructure renders traditional, static domain blocking insufficient as a primary defense. Over the past two months, the researchers have identified various delivery techniques, including malicious LNK files used for a downloader.
Read more…
Source: Fortinet
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Attackers have a new way to slip past your MFA
December 3, 2025
Attackers are using a tool called Evilginx to steal session cookies, letting them bypass the need for a multi-factor authentication (MFA) token. Researchers are warning about a rise in cases where this method is used against educational institutions. Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real website, relaying the genuine sign-in ...
- A data breach at analytics giant Mixpanel leaves a lot of open questions
December 2, 2025
A cybersecurity incident at analytics provider Mixpanel announced just hours before the U.S. Thanksgiving holiday weekend could set a new standard for how not to announce a data breach. To recap: In a bare bones blog post last Wednesday, Mixpanel chief executive Jen Taylor announced that the company had detected an unspecified security incident on November ...
- Unraveling Water Saci’s New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp
December 2, 2025
Brazil has seen a recent surge of threats delivered via WhatsApp. As observed in Trend Micro previously published research on the SORVEPOTEL malware and the broader Water Saci campaignopen on a new tab, this popular platform has been used to launch sophisticated campaigns. Unsuspecting users receive convincing messages from trusted contacts, often crafted to exploit social ...
- Google patches 107 Android flaws, including two being actively exploited
December 2, 2025
Google has patched 107 vulnerabilities in Android in its December 2025 Android Security Bulletin, including two high-severity flaws that are being actively exploited. The December updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, but that doesn’t always mean the patches ...
- NHS Highland staff ‘poor practice’ sparks fears of heightened risk of a major cyber attack
December 1, 2025
NHS Highland is at heightened risk of falling prey to a major cyber attack in part due to “poor practice” by some staff members. The warning, contained in a report to the board assessing risk levels faced in a range of areas against what is deemed an acceptable level of risk, comes as the busy ...
- FTC cracks down on education tech company after massive student data breach
December 1, 2025
The Federal Trade Commission took action against Illuminate Education on December 1, 2025, after the Wisconsin-based company suffered a massive data breach that exposed personal information of more than 10 million students. In late December 2021, a hacker used login credentials from a former employee who had left the company three and a half years ...