Researchers from Rapid7 have revealed an ongoing malware campaign that tricks users into installing Winos 4.0, a powerful and stealthy remote access tool. The attackers use fake versions of popular applications like LetsVPN and QQ Browser to carry out the infection.
This campaign was first discovered in February 2025, and it involves a complex loader system called Catena, which hides the malware in memory to avoid being detected by antivirus programs.
Catena Loader Used to Hide Winos 4.0
According to Rapid7 researchers Anna Širokova and Ivan Feigl, Catena is a multi-stage loader that uses embedded shellcode and smart logic to switch configurations. This technique allows the malware to run directly in memory, making it hard for traditional security tools to detect.
Once installed, the malware secretly connects to attacker-controlled servers—most of them located in Hong Kong—to receive further commands or download more malicious files.
This attack targets Chinese-speaking users, and researchers believe it’s the work of a well-organized and highly skilled threat group.
Winos 4.0
Winos 4.0, also known as ValleyRAT, was first reported by cybersecurity firm Trend Micro in June 2024. It’s a malware framework built on the well-known Gh0st RAT and is written in C++. It comes with several powerful features:
Remote shell access for controlling infected systems
Data theft tools
DDoS attack capabilities
Plugin support to add more malicious features
The malware is known to use malicious Windows Installer (MSI) files, often disguised as VPN software installers, to trick victims into installing it.
Security researchers have linked the malware to a threat group known as Void Arachne, also referred to as Silver Fox, which is believed to be based in Asia.
How the Fake Installers Work
In past campaigns, attackers have also used gaming-related tools such as fake speed boosters or system optimization utilities to lure users. In another campaign from February 2025, phishing emails claiming to be from the Taiwan National Taxation Bureau were used to target users in Taiwan.
In all cases, the infection process followed a similar pattern:
The victim downloads a fake software installer.
The installer launches a signed decoy application (to appear legitimate).
At the same time, it injects hidden shellcode from
.inifiles using reflective DLL injection.The malware achieves persistence on the system and silently communicates with command-and-control (C2) servers.
The loader, Catena, has been consistent across different versions of the campaign throughout 2025, although attackers have made slight changes over time to improve their evasion techniques.
Infection Chain
One version of the attack uses a trojanized NSIS (Nullsoft Scriptable Install System) installer that looks like an official installer for QQ Browser, a Chromium-based browser from Tencent.
The malware communicates with hardcoded C2 servers using TCP port 18856 and HTTPS port 443, ensuring secure and stealthy data transmission.
Once the malware infects a system, it creates scheduled tasks that may not activate until weeks later, increasing the chances that the initial infection goes unnoticed.
Interestingly, the malware checks whether the device is using the Chinese language, although it still runs even if the language is different. This suggests that future versions may become more selective in targeting only certain regions.
Rapid7 observed a major shift in tactics in April 2025. The attackers began disguising their malware as a LetsVPN installer. This version adds Microsoft Defender exclusions across all system drives (from C:\ to Z:) using a PowerShell script, effectively turning off protection for the malware.
Additional payloads are also dropped, including a suspicious executable file that:
Takes a snapshot of active processes
Checks for antivirus tools like 360 Total Security
Uses an expired digital certificate from VeriSign, which falsely claims to belong to Tencent Technology (Shenzhen)
This executable then reflectively loads a malicious DLL, which connects to a remote server at either:
134.122.204[.]11:18852or103.46.185[.]44:443
From there, the final Winos 4.0 payload is downloaded and activated.
“This campaign shows a well-organized, regionally focused malware operation using trojanized NSIS installers to quietly drop the Winos 4.0 stager,” said the researchers.
The attackers rely heavily on:
Memory-resident payloads
Reflective DLL loading
Signed decoy applications
Expired but legitimate-looking certificates
All of these methods help the malware avoid detection. Based on infrastructure overlaps and the focus on Chinese-speaking users, researchers believe this activity is strongly tied to the Silver Fox APT group.
The Winos 4.0 malware campaign highlights how attackers are evolving their methods to avoid detection and target specific regions. By using fake but convincing software installers and advanced stealth tactics, the threat actors behind this campaign are posing serious risks—especially to Chinese-speaking users.
Users should always download software from trusted sources, avoid clicking links in unsolicited emails, and keep their security software up to date. For organizations, monitoring unusual activity and reviewing scheduled tasks can help detect hidden threats like Winos 4.0.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : CISA Warns of Cloud Attacks Targeting Microsoft 365 App Secrets
Pingback: Microsoft OneDrive File Picker Bug Exposes Entire Cloud Storage to Third Party Apps