FortiGuard Labs recently observed several targeted phishing campaigns in Taiwan that use themes designed to exploit local business processes. These campaigns disseminate Winos 4.0 (ValleyRat) and subsequent malicious plugins through weaponized attachments or embedded links.
The lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads. Fortinet researchers analysis of domain registration data reveals that attackers use a rotating set of domains and cloud services to host and distribute malware. The highly volatile nature of this infrastructure renders traditional, static domain blocking insufficient as a primary defense. Over the past two months, the researchers have identified various delivery techniques, including malicious LNK files used for a downloader.
Read more…
Source: Fortinet
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- #StopRansomware: Akira Ransomware
November 13, 2025
The United States’ Federal Bureau of Investigation (FBI) and partner organisations are releasing this joint advisory to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third-party reporting as recently as November 2025. Akira ransomware threat actors are associated with other groups known as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, ...
- 1 million victims, 17,500 fake sites: Google takes on toll-fee scammers
November 13, 2025
A Phishing-as-a-Service (PhaaS) platform based in China, known as “Lighthouse,” is the subject of a new Google lawsuit. Lighthouse enables smishing (SMS phishing) campaigns, and if you’re in the US there is a good chance you’ve seen their texts about a small amount you supposedly owe in toll fees. Here’s an example of a toll-fee scam ...
- CISA: Implementation Guidance for Emergency Directive on Cisco ASA and Firepower Device Vulnerabilities
November 12, 2025
CISA has released Emergency Cisco Directive 25-03 Implementation Guidance to assist federal agencies in addressing critical vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices. Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices, issued on Sept. 25, identified known vulnerabilities CVE-2025-20333 and CVE-2025-20362, and mandated immediate action to mitigate risks. Threat actors continue to target ...
- Swedish Authority for Privacy Protection Investigates Data Breach Exposing 1.5 Million People
November 12, 2025
The Swedish Authority for Privacy Protection (IMY) is investigating a data breach at major government software supplier Miljödata that has compromised the personal information of 1.5 million people. Miljödata learned of the breach after experiencing system disruptions that affected government services, and a threat actor approached the company demanding 1.5 Bitcoin to avoid leaking the stolen ...
- UK: NHS providers reviewing stolen data published by cyber criminals
November 11, 2025
Pathology supplier Synnovis is contacting NHS organisations which had data stolen and published online following a major cyber attack last year. Synnovis has now completed its investigation into patient and staff data published online by the cyber criminal gang on 20 June 2024, which includes personal data such as names, NHS numbers, test results and test ...
- You Thought It Was Over? Authentication Coercion Keeps Evolving
November 10, 2025
Imagine a scenario where malicious actors don’t need to trick you into giving up your password. They have no need to perform sophisticated social engineering attacks or exploit vulnerabilities in your operating system.Instead, they can simply force your computer to authenticate to an attacker-controlled system, effectively commanding your machine to hand over valuable credentials. This attack ...