EXECUTIVE SUMMARY:
A coordinated malicious campaign has been expanding across several Asian regions, using phishing emails and multi-stage payloads to compromise Windows systems. The attackers employ convincing lures—such as official-looking financial or government documents—to trick users into opening infected attachments that initiate the infection chain. These attachments download and execute secondary payloads designed for persistence and further compromise. The campaign’s sophistication lies in its structured delivery sequence and its focus on credential theft and remote access. The HoldingHands payload serves as the final stage of infection, acting as a core component that provides the attackers with full control over compromised systems. The campaign’s spread across countries like Taiwan, Japan, and Malaysia suggests organized and regionally focused targeting, rather than random opportunistic attacks.
The infection process begins when victims open phishing attachments that drop signed executables to bypass detection. These executables deploy loader components disguised as legitimate libraries, which decrypt and execute the HoldingHands payload. Once active, the malware performs credential harvesting, privilege escalation, and command execution while maintaining persistence through scheduled tasks and registry modifications. It employs process injection to hide its activity inside legitimate Windows processes and includes anti-analysis techniques such as sandbox detection and antivirus process checks. The HoldingHands payload operates as a modular post-infection tool that connects to remote command servers over encrypted web protocols, allowing attackers to issue commands, exfiltrate data, and reconfigure its behavior dynamically.
This campaign showcases a blend of phishing, stealthy persistence, and multi-layered payload delivery. The HoldingHands payload enables attackers to maintain long-term access, steal credentials, and execute arbitrary commands across infected systems. The campaign’s regional expansion highlights the growing professionalism and coordination of cybercrime actors operating in Asia. Defenders are advised to strengthen email security, monitor scheduled task creation and registry changes, and implement behavioral detection to identify process injection and unusual outbound communications. A layered defense and continuous threat intelligence sharing remain essential to mitigate this evolving malicious campaign.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial access | T1566.001 | Phishing | Spearphishing Attachment |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder | |
| Privilege Escalation | T1055 | Process Injection | — |
| T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control | |
| Defence Evasion | T1027 | Obfuscated Files or Information | — |
| T1218 | System Binary Proxy Execution | — | |
| Credential access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: