Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Winos 4.0 Malware Spread Via Fake Installers

May 27, 2025
Reading Time: 3 mins read
in Alerts
GhostSpy Android Malware Full Device Control

Cybersecurity researchers have recently uncovered a new sophisticated malware delivery campaign. This campaign cleverly uses fake software installers masquerading as very popular legitimate tools. These deceptive installers include fake versions of LetsVPN and also the QQ Browser. The primary goal is to deliver the Winos 4.0 malware framework onto victim systems. Security firm Rapid7 first detected this emerging malicious campaign back in February 2025. The attacks like previous Winos 4.0 deployments appear to focus on Chinese-speaking environments. This specific targeting indicates careful long-term planning by a very capable threat actor. The malware aims to steal sensitive user data without triggering typical security alerts.

The campaign involves using a multi-stage memory-resident malware loader which is named Catena. Catena uses embedded shellcode and also advanced configuration switching logic to stage payloads. It deploys payloads like the Winos 4.0 framework entirely within the computer’s memory. This advanced technique effectively helps it to evade many traditional antivirus security software tools. Once Winos 4.0 is installed it quietly connects to various attacker-controlled remote servers. These command-and-control servers are reportedly mostly hosted in the Hong Kong special administrative region. Winos 4.0 also known as ValleyRAT was first publicly documented by Trend Micro. That was in June 2024 used in attacks targeting Chinese-speaking users. This malicious activity has been attributed to a threat cluster known as Void Arachne.

Winos 4.0 is an advanced malicious framework primarily written in the C++ programming language.

It is built upon the foundations of a known remote access trojan called Gh0st RAT. Winos 4.0 uses a plugin-based system to perform various functions like data harvesting. It can also provide remote shell access and launch distributed denial-of-service (DDoS) attacks. The February 2025 QQ Browser campaign relied on NSIS installers bundled with decoys. These installers used shellcode in “.ini” files and also reflective DLL injection methods. This covertly maintained persistence on infected hosts and helped to successfully avoid detection. An April 2025 tactical shift involved using fake LetsVPN installers for malware delivery. This newer version added Microsoft Defender exclusions for all drives using a PowerShell command.

It also checked for processes related to 360 Total Security a Chinese antivirus product.

The LetsVPN variant used a binary signed with an old expired VeriSign digital certificate. This certificate allegedly belongs to the company Tencent Technology located in Shenzhen China. The binary’s main responsibility is to reflectively load a malicious DLL file into memory. This DLL file in turn connects to a command-and-control server to download Winos 4.0. This campaign shows a well-organized regionally focused malware operation using sophisticated trojanized installers. It heavily leans on memory-resident payloads reflective DLL loading and signed decoy software. Persistence on the host is achieved by registering scheduled tasks executed weeks later. Winos 4.0 also explicitly checks for Chinese language settings on the compromised user system. Infrastructure overlaps and specific language-based targeting strongly hint at ties to Silver Fox APT.

Reference:

  • Winos 4.0 Malware Deployed Via Fake Software Installers And Catena In Memory Loader
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityMay 2025
ADVERTISEMENT

Related Posts

Fake Firms Push Malware on Crypto Users

Fake Sites Push Investment Scams

July 11, 2025
Fake Firms Push Malware on Crypto Users

Severe WordPress Flaw 200K Sites at Risk

July 11, 2025
Fake Firms Push Malware on Crypto Users

Fake Firms Push Malware on Crypto Users

July 11, 2025
Hackers Revive SEO Poisoning

Hackers Revive SEO Poisoning

July 10, 2025
Hackers Revive SEO Poisoning

RondoDox Botnet Exploits Router Flaws

July 10, 2025
Hackers Revive SEO Poisoning

ServiceNow Data Exposure via ACLs

July 10, 2025

Latest Alerts

Fake Sites Push Investment Scams

Fake Firms Push Malware on Crypto Users

Severe WordPress Flaw 200K Sites at Risk

RondoDox Botnet Exploits Router Flaws

ServiceNow Data Exposure via ACLs

Hackers Revive SEO Poisoning

Subscribe to our newsletter

    Latest Incidents

    Microsoft’s Outlook Long Outage

    Avantic Lab Affected By Ransomware

    $40M+ Stolen from GMX Crypto Platform

    Bitcoin Depot Breach Exposes Data

    McDonald’s AI Hiring Bot Exposes Data

    Nippon Steel Solutions Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial