HoldingHands
HoldingHands is a Windows remote access trojan/backdoor observed in phishing-driven campaigns across China, Taiwan, Japan, and Malaysia in 2024-2025, and historically associated with the Chinese-speaking threat cluster TA4922 alongside Winos4.0/ValleyRAT. Fortinet linked multiple regional campaigns to the same actor through shared infrastructure, obfuscation, Tencent Cloud-hosted lure content, recurring domains, and a common C2 IP of 156.251.17.9 in Taiwan/Japan-related activity. The malware was delivered via phishing emails using PDF, HTML, Word, and Excel lures masquerading as finance, tax, procurement, and government documents; some lures redirected victims to download pages such as twsww[.]xin/download[.]html that served ZIP archives containing signed executables. In later Malaysia activity, the infection chain used a lure executable named "Dokumen audit cukai dan sampel bahan.exe" that loaded a malicious dokan2.dll, which executed staged encrypted components including sw.dat, msvchost.dat, and system.dat. This newer multi-stage flow leveraged Windows Task Scheduler restart behavior and DLL side-loading to reduce forensic artifacts and evade behavior-based detection. Reported behaviors include anti-VM checks, privilege escalation by impersonating a TrustedInstaller service thread, security-product-aware execution logic that stops if Kaspersky avp.exe is present and drops decoy DLLs when Norton or Avast processes are detected, and indirect execution through a malicious TimeBrokerClient.dll loaded by svchost.exe. The final HoldingHands payload was decrypted from system.dat, executed in an active user session using token duplication, and injected into taskhostw.exe, with reinjection if the process terminated. Fortinet reported that the payload can impersonate logged-in users, inject code into trusted processes such as taskhostw.exe, and includes an updated C2 task to change its server IP through the registry key HKEY_CURRENT_USER\SOFTWARE\HHClient using the value AdrrStrChar, enabling infrastructure rotation without redeployment. A debug path in one sample referenced D:\Workspace\HoldingHands-develop\HoldingHands-develop\Door\x64\Release\BackDoor.pdb. Fortinet detections cited for related components include XML/Agent.EFA9!tr, W64/ShellcodeRunner.ARG!tr, and W64/Agent.BDN!tr.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The actor has been historically associated with malware families including Winos4.0 (sometimes referred to as ValleyRAT) and HoldingHands.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniques"Targeting of specific regions (Taiwan, Japan, Malaysia, Southeast Asia) and sectors (finance, government) indicates pre-campaign reconnaissance."
"Adversaries use web-based templates hosted on multiple domains (.vip, .sbs, .xin, etc.) likely after reconnaissance of regional trust sources."
Resource Development
2 techniques"Multiple domains (e.g., zxp0010w.vip, gjqygs.cn, jpjpz1.cc) registered for phishing distribution."
"Reused or compromised hosting platforms (.sbs, .lol, .cn) to deploy phishing kits."
Initial Access
2 techniques“Attackers have primarily relied on phishing emails containing infected PDFs… These PDFs carried multiple embedded links - most hosted on Tencent Cloud …”
"HTML pages luring victims to click 'Click to view attachment' button, triggering ZIP/RAR payload download."
Execution
5 techniquesFortiGuard Tracks HoldingHands Malware Shift: Cross-Regional APT Uses Task Scheduler Hijack to Evade Detection
“…the download link is fetched from the JSON data, rather than being stored in the script on the page.”
“…a social engineering lure that masquerades as a tax audit document to convince victims to run it.”
“…redirected victims to a Japanese-language page, prompting a ZIP download. The archive contained an executable deploying HoldingHands …”
Persistence
2 techniquesFortiGuard Tracks HoldingHands Malware Shift: Cross-Regional APT Uses Task Scheduler Hijack to Evade Detection
Privilege Escalation
3 techniquesFortiGuard Tracks HoldingHands Malware Shift: Cross-Regional APT Uses Task Scheduler Hijack to Evade Detection
“…injecting malicious code into trusted processes like taskhostw.exe …”
Stealth
6 techniques“msvchost.dat Encrypted shellcode… system.dat Encrypted payload… The process name also works as the decryption key…”
“…injecting malicious code into trusted processes like taskhostw.exe …”
“It then duplicates a logged-on user’s access token, allowing the shellcode to impersonate the user’s security context.”
“The EXE carries a legitimate digital signature to evade detection…”
Defense Impairment
2 techniques“…new C2 task that updates the server IP address via registry entry… Registry key: HKEY_CURRENT_USER\SOFTWARE\HHClient … Value name: AdrrStrChar”
“…used executables bearing legitimate digital signatures to evade detection.”
Discovery
2 techniques“…identify and respond to installed antivirus software, terminating its activity if Kaspersky is found or dropping decoy DLLs when Norton or Avast is detected.”
Collection
1 technique"visitor_log.php likely logs user IPs, user-agents, and session details for tracking and targeting metrics."
Command and Control
3 techniques"Use of visitor_log.php and download.php for communication and payload control over HTTP(S)."
"Centralized infrastructure serving multilingual phishing pages with shared script logic."
“The links refer to webpages hosting the latest malware… victims were tricked into downloading a ZIP that delivered the HoldingHands payload.”
Other
1 techniqueIOCs tracked for this family
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mentioned as a malware family historically associated with TA4922, but the report provides no technical detail in this content.
Named malware referenced in the title; described only as malware involved in a task scheduler hijack technique to evade detection.
Multi-stage Windows backdoor/RAT delivered via phishing lures (PDF/Word/HTML) leading to ZIP/EXE droppers and DLL/shellcode stages; uses anti-analysis (anti-VM), privilege escalation via TrustedInstaller thread impersonation, AV process checks, Task Scheduler-based execution, and injects the final payload into user-context processes (e.g., taskhostw.exe). Includes a C2 task to update C2 IP via registry (HKCU\\SOFTWARE\\HHClient).
Remote access trojan used in cross-border phishing campaigns (malicious PDFs/ZIPs) targeting Chinese speakers across Asia. Recent variants use multi-stage execution with Windows Task Scheduler, DLL sideloading/tampered libraries, anti-VM checks, privilege escalation attempts via TrustedInstaller impersonation, AV-aware behavior (halts if Kaspersky is present; drops decoy DLLs for Norton/Avast), process injection (e.g., taskhostw.exe), encrypted shellcode loading, and remote C2 IP updates via Windows registry for persistence/flexibility.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.