CyberSecurity news
FlagThis
@cyberinsider.com
//
Cybersecurity researchers have uncovered a sophisticated malware campaign distributing the Winos 4.0 framework through trojanized installers of popular applications such as LetsVPN and QQBrowser. The campaign, active since February 2025, primarily targets Chinese-speaking environments and showcases careful, long-term planning by a capable threat actor. The attackers use fake software installers to trick users into installing the malware, which grants remote access to compromised systems.
The Winos 4.0 malware is delivered using a multi-layered infection chain called the Catena loader. This loader employs multi-stage reflective loaders and in-memory payload delivery techniques to evade traditional antivirus tools. The infection process begins with seemingly legitimate NSIS installers bundled with signed decoy applications and malicious components like shellcode embedded in ".ini" files and reflective DLLs. This modular approach allows the attackers to adapt quickly to detection pressures, as observed in the evolution of tactics from February to April 2025.
Once installed, Winos 4.0 connects to attacker-controlled servers, predominantly hosted in Hong Kong, to receive follow-up instructions or additional malware. The malware framework, built atop the foundations of Gh0st RAT, is written in C++ and utilizes a plugin-based system to harvest data, provide remote shell access, and launch distributed denial-of-service (DDoS) attacks. This campaign highlights the ongoing risk posed by trojanized software and emphasizes the importance of verifying software sources to prevent malware infections.
ImgSrc: mnwa9ap4czgf-u1
References :
The Winos 4.0 malware is delivered using a multi-layered infection chain called the Catena loader. This loader employs multi-stage reflective loaders and in-memory payload delivery techniques to evade traditional antivirus tools. The infection process begins with seemingly legitimate NSIS installers bundled with signed decoy applications and malicious components like shellcode embedded in ".ini" files and reflective DLLs. This modular approach allows the attackers to adapt quickly to detection pressures, as observed in the evolution of tactics from February to April 2025.
Once installed, Winos 4.0 connects to attacker-controlled servers, predominantly hosted in Hong Kong, to receive follow-up instructions or additional malware. The malware framework, built atop the foundations of Gh0st RAT, is written in C++ and utilizes a plugin-based system to harvest data, provide remote shell access, and launch distributed denial-of-service (DDoS) attacks. This campaign highlights the ongoing risk posed by trojanized software and emphasizes the importance of verifying software sources to prevent malware infections.
ImgSrc: mnwa9ap4czgf-u1
Share:
References :
- cyberinsider.com: Trojanized LetsVPN Installers Drop Stealthy Winos v4.0 Malware
- cyberpress.org: Winos 4.0 Threat Actors Disguise Malware as VPN and QQBrowser
- gbhackers.com: Winos 4.0 Malware Masquerades as VPN and QQBrowser to Target Users
- The Hacker News: Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware
- gbhackers.com: Winos 4.0 Malware Masquerades as VPN and QQBrowser to Target Users
- Secure Bulletin: Secure Bulletin documents anatomy of the Winos 4.0 campaign
- securebulletin.com: Anatomy of the Winos 4.0 campaign