Winos
Winos refers to a malware ecosystem and associated activity cluster described in the provided content as overlapping with SilverFox and Gh0stRAT-derived tooling rather than a cleanly bounded single operator. ThreatBook frames the SilverFox/Winos ecosystem as a malware-as-a-service toolkit ecosystem with fuzzy actor boundaries, and Fortinet describes Winos4.0 as a modular framework rebuilt from Gh0stRAT and used in Silver Fox campaigns. The content also notes reporting that Winos 4.0 activity expanded to Japan and Malaysia with new malware. The analyzed activity involves a multi-stage intrusion chain delivered via a trojanized Panasonic-themed executable. Observed tradecraft includes in-memory decoding of embedded loaders; dynamic API resolution; anti-analysis and anti-security checks; patching ntdll.dll!NtTraceEvent; Defender exclusion commands; elevated relaunch via runas; use of WinINet for payload retrieval; reconstruction of Alibaba OSS staging URLs; and retrieval of encrypted carrier files including a.gif, b.gif, c.gif, d.gif, s.dat, s.jpg, image.png, thumbs.db, and drops.jpg. The chain uses signed side-loading hosts, including a Tencent UxEnhanceHost/UxEnhance64.dll bundle and a later D1IQf1.exe/XPSPLOG.dll cluster, to decrypt and manually map additional payloads. Additional observed techniques include RC4 decryption, a recurring five-byte EOF trailer plus incrementing-XOR decoding scheme across multiple carrier files, RPC-based Task Scheduler creation using local Task Scheduler RPC elements including NdrClientCall3 and \pipe\atsvc, hidden scheduled-task persistence, and later-stage payload deployment. Late-stage functionality includes Sauron service/backdoor behavior via rundll32.dat exporting Edge, with persistence through HKCU\SOFTWARE\Sauron, self-copying to C:\Windows\svchost.exe, service creation and start, cleanup routines, security-tool checks including references to 360 products, and downloader templates. The chain also includes Defender exclusion logic, Windows Update disablement code, icacls command builders, and telemetry showing cmd.exe /c vssadmin delete shadows /all /quiet during the D1 phase. Known related names directly mentioned in the content are SilverFox, Silver Fox, Winos4.0, and Gh0stRAT.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
- Health Care Equipment & Services
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular malware ecosystem/framework associated in the content with SilverFox campaigns, described as Gh0stRAT-derived and used to support staged loaders, side-loading chains, cloud-hosted payload delivery, and modular backdoor deployment.
Winos is expanding operations to Japan and Malaysia, deploying new malware as part of their campaigns.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.