Cybersecurity researchers have uncovered a stealthy malware campaign leveraging trojanized software installers posing as popular apps like LetsVPN and QQ Browser to deliver the Winos 4.0 framework—a powerful memory-resident malware tool.
The campaign, first observed by Rapid7 in February 2025, centers on a multi-stage loader called Catena, which stages and executes payloads entirely in memory, making it difficult for traditional antivirus software to detect.
“Catena uses embedded shellcode and logic switching to deploy Winos 4.0 in memory while bypassing standard security tools,” said researchers Anna Širokova and Ivan Feigl. Once deployed, it connects to attacker-controlled servers, mainly based in Hong Kong, to receive further commands or additional payloads.
Targeted and Evolving Attacks
This campaign, much like earlier Winos 4.0 deployments, appears focused on Chinese-speaking environments, showing signs of careful and long-term coordination by a sophisticated threat actor.
Winos 4.0—also known as ValleyRAT—was first documented by Trend Micro in mid-2024, linked to attacks using malicious VPN installer files to compromise Chinese-speaking users. These activities have been attributed to Void Arachne, also known as Silver Fox.
Later versions of the malware used gaming-related utilities as bait, including fake installers and performance tools. A wave of attacks in February 2025 targeted victims in Taiwan, using phishing emails impersonating the National Taxation Bureau.
Winos 4.0 is based on Gh0st RAT, written in C++, and features a plugin-based system for data harvesting, remote shell access, and DDoS capabilities.
Infection Flow: From Decoy Software to Full Compromise
Artifacts analyzed in February relied on NSIS installers bundled with signed decoy apps, with shellcode hidden inside .ini files, and reflective DLL injection for stealthy persistence. This entire sequence—dubbed Catena—shows a consistent infection chain with minor tactical variations.
Initial infection begins when users download a trojanized QQ Browser installer, a Chromium-based browser by Tencent. Once launched, the malware communicates with hard-coded C2 servers over TCP port 18856 and HTTPS port 443.
In April 2025, Rapid7 identified a tactical evolution: the NSIS installer disguised itself as a LetsVPN setup file, executed a PowerShell command to add exclusions in Microsoft Defender, and dropped payloads that analyzed system processes.
One of the dropped executables checked for the presence of 360 Total Security, an antivirus by Qihoo 360. The malware used a binary signed with an expired VeriSign certificate allegedly issued to Tencent Technology (Shenzhen), originally valid from October 2018 to February 2020.
This executable then reflectively loaded a DLL that connected to remote C2 infrastructure at 134.122.204[.]11:18852 and 103.46.185[.]44:443 to download and execute Winos 4.0.
A Regionally Focused, Stealthy Operation
“This campaign reflects a highly organized, regionally focused operation,” said the researchers.
The malware leans on in-memory payloads, reflective DLL loading, and signed decoy software to avoid detection. Targeting indicators and overlapping infrastructure suggest a strong link to Silver Fox APT, with a clear focus on Chinese-speaking regions.
As Winos 4.0 continues to evolve, researchers warn of its potential to be used in broader regional espionage and cyber disruption campaigns, especially given its adaptive tactics and stealthy design.
