Cybersecurity researchers have disclosed malware campaigns that use fake software installers that deliver the WINOS 4.0 framework under the guise of popular tools such as LetSVPN and QQ browsers.
This campaign was first detected by Rapid7 in February 2025 and includes the use of a multi-stage memory resident loader called Catena.
“Catena uses embedded shellcode and configuration switching logic to completely use step-by-step payloads like Winos 4.0 for memory and bypass traditional antivirus tools.” “Once installed, it quietly connects to an attacker-controlled server (which is primarily hosted in Hong Kong) and receives follow-up instructions or additional malware.”
The attack appears to be particularly focused on Chinese-speaking environments, as it invokes “careful and long-term planning” by highly capable threat actors, similar to those who have deployed Winos 4.0 in the past.
Winos 4.0 (aka Valleyrat) was first published by Trend Micro in June 2024 as it was used in an attack targeting Chinese-speaking users using the VPN app’s malicious Windows Installer (MSI) file. This activity is attributed to a threat cluster that tracks it as a void arachne, also known as Silver Fox.
Subsequent campaigns to distribute malware utilize Rivals to trick users into installing game-related applications such as installation tools, speed boosters and optimization utilities. Another wave of attack targeting Taiwanese entities via phishing emails from the National Tax Agency in February 2025.
Built on top of the foundations of a known remote access trojan called Gh0st rat, Winos 4.0 is a highly malicious framework written in C++ that uses a plug-in-based system to collect data, provide remote shell access, and launch distributed denial of service (DDOS) attacks.
QQBrowser-based infection flow observed in February 2025
Rapid7 said all artifacts flagged in February 2025 rely on signed decoy apps, shellcodes embedded in “.ini” files, and NSIS installers bundled with reflexive DLL injections to secretly maintain the persistence of infected hosts and avoid detection. Monica catenas are given throughout the infection chain.
“This campaign has been active throughout 2025 and shows a consistent infection chain with some tactical adjustments. It refers to a capable and adaptive threat actor,” the researcher said.
The starting point is a Trojanized NSIS installer that impersonates the installer of the QQ browser, a Chromium-based web browser developed by Tencent, designed to use Catena to provide Winos 4.0. The malware communicates with the hard coding code and command and control (C2) infrastructure over TCP port 18856 and HTTPS port 443.
From LetSVPN installer in April 2025 to Winos 4.0
Host persistence is achieved by registering scheduled tasks that run several weeks after the initial compromise. The malware has explicit checks to find Chinese settings on your system, but even if it’s not, the execution is still in progress.
This indicates that it is an unfinished feature and is what is expected to be implemented in subsequent iterations of malware. That said, Rapid7 said in April 2025 that it not only switched some elements of the Catena execution chain, but also identified a “tactical change” that also incorporates features to avoid antivirus detection.
In the improved attack sequence, the NSIS installer impersonates it as a LetSVPN setup file and runs a PowerShell command that adds Microsoft Defender exclusion to all drives (C:\ to z:\). It then takes a snapshot of the processes associated with 360 Total Security, an antivirus product developed by Chinese vendor Qihoo 360, and drops additional payloads containing the executable to run the process and check.
The binary is signed with an expired certificate issued by Verisign and is said to belong to Tencent Technology (Shenzhen). It was valid from 2018-10-11 to 2020-02-02. The main responsibility of an executable is to reflectively load the DLL file that connects to the C2 server (“134.122.204[.]11:18852 “or” 103.46.185[.]44:443″) To download and run Winos 4.0.
“This campaign demonstrates well-organized, locally focused malware operations to quietly drop Winos 4.0 stagers using the Trojanized NSIS installer,” the researchers said.
“We are leaning heavily towards decoy software signed with legitimate certificates to avoid memory residents payloads, reflective DLL loads, and alarm rise. There are Silver Fox APTs targeting infrastructure duplication and language-based targets, and activities targeting Chinese environments.”
Source link
