HoldingHands RAT
HoldingHands RAT, also known as Gh0stBins, is a Gh0st RAT-derived remote access trojan associated in reporting with the Silver Fox threat actor cluster, also tracked as SwimSnake, UTG-Q-1000, and Void Arachne. It has been used in phishing campaigns targeting users and organizations in Taiwan, Japan, and Malaysia, with lures themed around taxes, invoices, pensions, business communications, and purported official government documents. Reported delivery vectors include phishing emails carrying malicious PDF attachments or ZIP archives, PDF links redirecting victims to download pages, fake landing pages, and infection chains using executables disguised as official audit or finance-related documents.
Observed infection chains are multi-stage and rely on legitimate executables, shellcode loaders, encrypted shellcode, and DLL sideloading. In one documented chain, malware dropped files in C:\Windows\System32 including svchost.ini, TimeBrokerClient.dll, msvchost.dat, system.dat, and wkscli.dll, and abused the Task Scheduler recovery mechanism to trigger malicious DLL loading. TimeBrokerClient.dll allocated memory for encrypted shellcode, which then decrypted and loaded the HoldingHands payload. Intermediate stages were reported to include anti-VM checks, privilege escalation, and termination of security products from Avast, Norton, and Kaspersky, as well as termination of the Task Scheduler. Silver Fox has also been reported using BYOVD with a vulnerable WatchDog Anti-malware driver in related campaigns to disable security software.
HoldingHands RAT communicates with a remote server, sends host information, maintains a heartbeat, and processes attacker commands. Reported capabilities include collecting sensitive information, executing arbitrary commands, downloading additional payloads, updating its C2 address via the Windows Registry, and enabling file-management and remote-desktop functionality through downloaded modules. Fortinet reported a final component named msgDb.dat providing command-and-control functions and collecting user information. The malware family is described as inspired by the leaked 2008 Gh0st RAT source code and has been observed alongside related Silver Fox tooling including Winos 4.0/ValleyRAT and Gh0stCringe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
References Silver Fox Expands Winos 4.0 / ValleyRAT and HoldingHands RAT Cyber Attacks to Japan and Malaysia.
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"...phishing emails... malicious attachments embedded in phishing emails."
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced in cited prior reporting as another RAT used in Silver Fox campaigns expanding into Japan and Malaysia.
A Gh0st RAT derivative associated with Silver Fox and cited as part of the malware lineage that evolved toward AtlasCross RAT.
Remote access trojan used in Taiwan-targeted phishing activity attributed to Silver Fox.
HoldingHands RAT is a remote access trojan inspired by Gh0st RAT, capable of connecting to a remote server, sending host information, maintaining persistence, executing attacker commands, capturing sensitive information, running arbitrary commands, and downloading additional payloads. It features anti-VM checks, security product enumeration and termination, privilege escalation, and a mechanism to update its C2 address via the Windows Registry.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.