Winos 4.0 Malware
Cybersecurity researchers have revealed a malware campaign that deploys fake software installers, masquerading as popular tools like LetsVPN and QQ Browser, to deliver the Winos 4.0 framework.
The campaign, which Rapid7 first identified in February 2025, employs a multi-stage, memory-resident loader known as Catena.
“Catena embeds shellcode and uses configuration switching logic to stage payloads like Winos 4.0 entirely in memory, allowing it to bypass traditional antivirus tools,” security researchers Anna Širokova and Ivan Feigl explained. “Once installed, it quietly connects to attacker-controlled servers — primarily hosted in Hong Kong — to retrieve follow-up instructions or additional malware.”
Much like earlier incidents involving Winos 4.0, these attacks appear to target Chinese-speaking environments specifically. The cybersecurity company emphasized the “careful, long-term planning” demonstrated by a highly skilled threat actor.
Trend Micro first publicly documented Winos 4.0 (also known as ValleyRAT) in June 2024, noting its use in attacks against Chinese-speaking users via malicious Windows Installer (MSI) files disguised as VPN apps. The company linked this activity to a threat cluster it tracks as Void Arachne, also referred to as Silver Fox.
Since then, additional campaigns have used gaming-related applications — such as installation tools, speed boosters, and optimization utilities — as bait to trick users into installing the malware. Another wave of attacks, reported in February 2025, targeted entities in Taiwan using phishing emails that claimed to be from the National Taxation Bureau.
Built on the framework of the well-known remote access trojan Gh0st RAT, Winos 4.0 is an advanced malicious platform written in C++. It utilizes a plugin-based system to harvest data, enable remote shell access, and execute distributed denial-of-service (DDoS) attacks.
QQBrowser-Based Infection Flow Observed in February 2025
Rapid7 reported that all artifacts flagged in February 2025 used NSIS installers bundled with signed decoy apps, shellcode embedded in “.ini” files, and reflective DLL injection. These elements work together to covertly maintain persistence on infected hosts and evade detection. Researchers have dubbed the entire infection chain “Catena.”
“So far, the campaign has remained active throughout 2025, demonstrating a consistent infection chain with a few tactical adjustments — a clear sign of a capable and adaptive threat actor,” the researchers noted.
How it works
The infection begins with a Trojanized NSIS Installer posing as a legitimate QQBrowser Installer — a Chromium-based web browser developed by Tencent. This installer is designed to deliver Winos 4.0 using the Catena framework. Once active, the malware communicates with hard-coded command-and-control (C2) infrastructure over TCP port 18856 and HTTPS port 443.
From LetsVPN Installer to Winos 4.0 in April 2025
The malware maintains persistence on the host by registering scheduled tasks that execute weeks after the initial compromise. Although the malware includes a built-in check for Chinese language settings on the system, it still proceeds with execution even if those settings are absent.
This behavior suggests the feature remains unfinished and will likely appear in future versions of the malware. Meanwhile, in April 2025, Rapid7 observed a “tactical shift” that not only altered parts of the Catena execution chain but also introduced new methods to evade Antivirus Detection.
In the updated attack sequence, the NSIS Installer Masquerades as a setup file for LetsVPN and executes a PowerShell command that adds Microsoft Defender Exclusions for all drives (C:\ to Z:). After that, it deploys additional Payloads, including an executable that captures a snapshot of running processes and scans for those associated with 360 Total Security, an antivirus solution from Chinese vendor Qihoo 360.
The binary carries a digital signature issued by VeriSign under the name Tencent Technology (Shenzhen), though the certificate expired on 2018-10-11 and was valid until 2020-02-02.
This executable primarily performs reflective DLL loading, allowing it to connect to a command-and-control (C2) server — either “134.122.204[.]11:18852” or “103.46.185[.]44:443” — to retrieve and run the Winos 4.0 malware.
“This campaign illustrates a well-coordinated, regionally focused malware operation that leverages trojanized NSIS installers to silently deploy the Winos 4.0 stager,” the researchers noted.
“It heavily relies on memory-resident payloads, reflective DLL injection, and decoy software signed with legitimate certificates to remain undetected. Infrastructure overlaps and language-based targeting strongly suggest a connection to the Silver Fox APT, with ongoing activity likely aimed at Chinese-speaking environments.”
Source: TheHackerNews
Read more at Impreza News
