The “HoldingHands” threat actor is part of a broader, ongoing campaign targeting organizations in Taiwan since at least January 2025. The group employs a variety of malware tools, including the HoldingHands Remote Access Trojan (RAT), also known as Gh0stBins, as well as other malware strains such as Winos 4.0 and Gh0stCringe. These tools are often delivered through phishing emails that impersonate official communications from Taiwan’s National Taxation Bureau or other trusted entities, using lures related to taxes, invoices, and pensions to trick recipients into opening malicious attachments.
The attack chain is complex and multi-stage. Attackers typically send emails with attachments or embedded images that, when clicked, lead to the download of ZIP archives containing multiple files—some legitimate executables, alongside shellcode loaders and encrypted shellcode. The shellcode loaders decrypt and execute the shellcode, which is then used to sideload malicious DLLs via legitimate binaries, a technique known as DLL side-loading. This approach helps the malware evade detection and execute its payload on the compromised host.
Once installed, the malware—such as the HoldingHands RAT—establishes command-and-control (C2) communication, enabling the attackers to collect user information, manage files, and even gain remote desktop capabilities. The group continuously evolves its malware and distribution strategies, making detection and defense more challenging.
Security researchers have noted that both HoldingHands RAT and Gh0stCringe are variants of the well-known Gh0st RAT, which has been widely used by Chinese hacking groups. The campaign has been associated with the Silver Fox APT (Advanced Persistent Threat), a China-based group known for its sophisticated cyber espionage activities.
In summary, the HoldingHands campaign is characterized by its stealthy, “pickpocket” approach—stealing sensitive data from Taiwanese organizations through advanced phishing and malware techniques, with the intent to use this information for future, potentially more damaging attacks.
