HoldingHands

"Targeting of specific regions (Taiwan, Japan, Malaysia, Southeast Asia) and sectors (finance, government) indicates pre-campaign reconnaissance."

"Adversaries use web-based templates hosted on multiple domains (.vip, .sbs, .xin, etc.) likely after reconnaissance of regional trust sources."

"Multiple domains (e.g., zxp0010w.vip, gjqygs.cn, jpjpz1.cc) registered for phishing distribution."

"Reused or compromised hosting platforms (.sbs, .lol, .cn) to deploy phishing kits."

“Attackers have primarily relied on phishing emails containing infected PDFs… These PDFs carried multiple embedded links - most hosted on Tencent Cloud …”

"HTML pages luring victims to click 'Click to view attachment' button, triggering ZIP/RAR payload download."

FortiGuard Tracks HoldingHands Malware Shift: Cross-Regional APT Uses Task Scheduler Hijack to Evade Detection

“…the download link is fetched from the JSON data, rather than being stored in the script on the page.”

“…a social engineering lure that masquerades as a tax audit document to convince victims to run it.”

“…redirected victims to a Japanese-language page, prompting a ZIP download. The archive contained an executable deploying HoldingHands …”

“…crafted a malicious DLL with the same name and leveraged Dokany’s control program … to load the malicious dokan2.dll… If any process related to Norton and Avast is found, it drops wkscli.dll, which can be side-loaded…”

FortiGuard Tracks HoldingHands Malware Shift: Cross-Regional APT Uses Task Scheduler Hijack to Evade Detection

“…new C2 task that updates the server IP address via registry entry… Registry key: HKEY_CURRENT_USER\SOFTWARE\HHClient … Value name: AdrrStrChar”

FortiGuard Tracks HoldingHands Malware Shift: Cross-Regional APT Uses Task Scheduler Hijack to Evade Detection

“…injecting malicious code into trusted processes like taskhostw.exe …”

“It then duplicates a logged-on user’s access token, allowing the shellcode to impersonate the user’s security context.”

“msvchost.dat Encrypted shellcode… system.dat Encrypted payload… The process name also works as the decryption key…”

“…injecting malicious code into trusted processes like taskhostw.exe …”

“It then duplicates a logged-on user’s access token, allowing the shellcode to impersonate the user’s security context.”

“The EXE carries a legitimate digital signature to evade detection…”

“…anti-VM, which checks physically installed RAM…”

“…crafted a malicious DLL with the same name and leveraged Dokany’s control program … to load the malicious dokan2.dll… If any process related to Norton and Avast is found, it drops wkscli.dll, which can be side-loaded…”

“…new C2 task that updates the server IP address via registry entry… Registry key: HKEY_CURRENT_USER\SOFTWARE\HHClient … Value name: AdrrStrChar”

“…used executables bearing legitimate digital signatures to evade detection.”

“…anti-VM, which checks physically installed RAM…”

“…identify and respond to installed antivirus software, terminating its activity if Kaspersky is found or dropping decoy DLLs when Norton or Avast is detected.”

"visitor_log.php likely logs user IPs, user-agents, and session details for tracking and targeting metrics."

"Use of visitor_log.php and download.php for communication and payload control over HTTP(S)."

"Centralized infrastructure serving multilingual phishing pages with shared script logic."

“The links refer to webpages hosting the latest malware… victims were tricked into downloading a ZIP that delivered the HoldingHands payload.”

“It enumerates active processes against a list of security products… checks the avp.exe and shuts down if any listed anti-virus process is found. If no anti-virus processes are found, it terminates the Task Scheduler.”