Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

Winos

Winos is a modular remote access Trojan associated with the Silver Fox malware ecosystem. In the provided reporting, it is described as one of the most common Trojans in the Silver Fox family and has been distributed in campaigns active since at least 2024, with Silver Fox activity dating to 2022. Observed delivery relied on phishing and social-engineering lures, including fake Adobe Flash updates and counterfeit software download pages impersonating Google Translate, WPS, currency converters, Easy Translation, Youdao Translation, Bit Browser, and LetsVPN. The campaign used MSI and EXE installer packages, both of which ultimately deployed Winos.

In the analyzed MSI infection chain, the installer loaded aicustact.dll, which was used to load attacker-specified files listed in the MSI Property table. An update.bat script executed a legitimate installation program while also launching a malicious payload. A javaw.exe component established persistence by writing Microsoftdata.exe into the Windows Run registry. Microsoftdata.exe, a Golang binary named to resemble legitimate software, then read Xps.dtd from the same directory; decrypted shellcode from Xps.dtd loaded an embedded PE and transferred execution to its exported run function. Although the final PE contained the PDB string "RexRat4.0.3," researchers assessed the core malware as Winos.

Documented Winos capabilities include modular plug-in support for remote control and data theft, specifically screenshot capture, keylogging, and clipboard theft. The reporting also states that leaked source code such as Winos 4.0 enabled broader reuse and redevelopment by multiple cybercrime groups and some APT actors, including Golden Eye Dog. The malware has been spread through email, phishing websites, instant messaging software, counterfeit software download pages, and SEO-optimized malicious sites. Reported infrastructure associated with the campaign included phishing infrastructure at 192.252.181[.]55 and www.ggfanyi[.]com, and C2 endpoints at 8.218.115.90:8080, 8.218.115.90:8081, 154.91.66.58:8088, 154.91.66.58:8089, 103.116.246.234:6234, 43.250.174.49:1989, 154.222.24.214:886, 154.222.24.214:668, 206.119.167.191:8003, 206.119.167.191:8004, 1.94.163.46:666, 203.160.55.201:1860, 154.94.232.242:8888, and 154.94.232.242:6666.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Golden Eye Dog

Both types ultimately release the Winos Trojan.

via medium knownsec404teammedium.com
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1598Phishing for InformationEvidence1

all while using convincing tax authority impersonation lures to gain initial entry.

Resource Development

1 technique
T1608.003Install Digital CertificateEvidence1

"BadIIS Malware Spreads via SEO Poisoning"; "HiddenGh0st, Winos and kkRAT Exploit SEO"

Initial Access

5 techniques
T1189Drive-by CompromiseEvidence1

When they detect a user clicking anywhere on the page, a prompt indicating an outdated Flash version appears, ultimately redirecting the page to the attacker’s designated download page.

T1195.002Compromise Software Supply ChainEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Notes Initial Access Supply Chain Compromise T1195.002 Trojanized Chinese software distribution

T1566PhishingEvidence1

Since 2022, the Silver Fox cybercrime gang has been active, typically using multiple channels such as email, phishing websites, and instant messaging software to widely spread Trojan viruses.

T1566.001Spearphishing AttachmentEvidence1

The first wave began in January 2025, when Silver Fox sent phishing emails impersonating Taiwan’s national taxation authority. Each email carried a malicious PDF that, once opened, triggered a hidden annotation leading victims to download a ZIP archive.

T1566.002Spearphishing LinkEvidence1

Attackers disguise themselves as Google Translate tools. When they detect a user clicking anywhere on the page, a prompt indicating an outdated Flash version appears, ultimately redirecting the page to the attacker’s designated download page.

Execution

2 techniques
T1059.003Windows Command ShellEvidence1

The normal installation program was run in update.bat, and malicious payload was also run at the same time.

T1129Shared ModulesEvidence1

After decryption, the core function of the shellcode in Xps.dtd is to load the included PE and jump to the run export function to execute.

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

The main function of javaw.exe is to write Microsoftdata.exe (malicious payload) into the run registry to maintain long-term residency.

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

The main function of javaw.exe is to write Microsoftdata.exe (malicious payload) into the run registry to maintain long-term residency.

Stealth

2 techniques
T1036MasqueradingEvidence1

Attackers disguise themselves as Google Translate tools... a counterfeit WPS official download website was also discovered... Microsoftdata.exe increases trustworthiness by mimicking the naming of official programs.

T1140Deobfuscate/Decode Files or InformationEvidence1

After running, it reads Xps.dtd in the same directory and loads and executes it: After decryption, the core function of the shellcode in Xps.dtd is to load the included PE and jump to the run export function to execute.

Credential Access

1 technique
T1056.001KeyloggingEvidence1

As one of the most common Trojans of the Silver Fox family, winos has a rich set of functional plug-ins that enable various remote control functions and data theft on the target host, such as: Keyboard log

Collection

3 techniques
T1056.001KeyloggingEvidence1

As one of the most common Trojans of the Silver Fox family, winos has a rich set of functional plug-ins that enable various remote control functions and data theft on the target host, such as: Keyboard log

T1113Screen CaptureEvidence1

As one of the most common Trojans of the Silver Fox family, winos has a rich set of functional plug-ins that enable various remote control functions and data theft on the target host, such as: Screenshot

T1115Clipboard DataEvidence1

As one of the most common Trojans of the Silver Fox family, winos has a rich set of functional plug-ins that enable various remote control functions and data theft on the target host, such as: Get clipboard data

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1

The stealer ran disguised as a WhatsApp backup application, using the User-Agent WhatsAppBackup/1.0 while communicating with a C2 server at xqwmwru[.]top.

INDICATORS OF COMPROMISE

IOCs tracked for this family

81 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
24 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
54 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app7 days ago
domain●●●●●●●●●●●●View more in app7 days ago
domain●●●●●●●●●●●●View more in app7 days ago
domain●●●●●●●●●●●●View more in app7 days ago
hash.sha256●●●●●●●●●●●●View more in app7 days ago
hash.sha256●●●●●●●●●●●●View more in app7 days ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Malware family referenced in SEO poisoning/GitHub Pages distribution campaigns targeting Chinese-speaking users; no further details in excerpt.

Read more
the hacker newsNews
Aug 4, 2025
⚡ Weekly Recap: VPN 0-Day, Encryption Backdoor, AI Malware, macOS Flaw, ATM Hack & More

Remote access trojan with a rich set of plug-ins for remote control and data theft, widely redeveloped by cybercrime and APT groups.

Read more
medium knownsec404teamNews
Jul 30, 2025
Analysis of the latest Silver Fox attack campaign disguised as a Flash plugin | by Knownsec 404 team | Medium

A core Silver Fox family Trojan/RAT delivered by MSI and EXE installers. It establishes persistence via registry run keys and provides plugin-based remote control and data theft capabilities including screenshots, keylogging, and clipboard theft.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching81

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.