Cybersecurity researchers have recently uncovered a new sophisticated malware delivery campaign. This campaign cleverly uses fake software installers masquerading as very popular legitimate tools. These deceptive installers include fake versions of LetsVPN and also the QQ Browser. The primary goal is to deliver the Winos 4.0 malware framework onto victim systems. Security firm Rapid7 first detected this emerging malicious campaign back in February 2025. The attacks like previous Winos 4.0 deployments appear to focus on Chinese-speaking environments. This specific targeting indicates careful long-term planning by a very capable threat actor. The malware aims to steal sensitive user data without triggering typical security alerts.
The campaign involves using a multi-stage memory-resident malware loader which is named Catena. Catena uses embedded shellcode and also advanced configuration switching logic to stage payloads. It deploys payloads like the Winos 4.0 framework entirely within the computer’s memory. This advanced technique effectively helps it to evade many traditional antivirus security software tools. Once Winos 4.0 is installed it quietly connects to various attacker-controlled remote servers. These command-and-control servers are reportedly mostly hosted in the Hong Kong special administrative region. Winos 4.0 also known as ValleyRAT was first publicly documented by Trend Micro. That was in June 2024 used in attacks targeting Chinese-speaking users. This malicious activity has been attributed to a threat cluster known as Void Arachne.
Winos 4.0 is an advanced malicious framework primarily written in the C++ programming language.
It is built upon the foundations of a known remote access trojan called Gh0st RAT. Winos 4.0 uses a plugin-based system to perform various functions like data harvesting. It can also provide remote shell access and launch distributed denial-of-service (DDoS) attacks. The February 2025 QQ Browser campaign relied on NSIS installers bundled with decoys. These installers used shellcode in “.ini” files and also reflective DLL injection methods. This covertly maintained persistence on infected hosts and helped to successfully avoid detection. An April 2025 tactical shift involved using fake LetsVPN installers for malware delivery. This newer version added Microsoft Defender exclusions for all drives using a PowerShell command.
It also checked for processes related to 360 Total Security a Chinese antivirus product.
The LetsVPN variant used a binary signed with an old expired VeriSign digital certificate. This certificate allegedly belongs to the company Tencent Technology located in Shenzhen China. The binary’s main responsibility is to reflectively load a malicious DLL file into memory. This DLL file in turn connects to a command-and-control server to download Winos 4.0. This campaign shows a well-organized regionally focused malware operation using sophisticated trojanized installers. It heavily leans on memory-resident payloads reflective DLL loading and signed decoy software. Persistence on the host is achieved by registering scheduled tasks executed weeks later. Winos 4.0 also explicitly checks for Chinese language settings on the compromised user system. Infrastructure overlaps and specific language-based targeting strongly hint at ties to Silver Fox APT.
Reference:
