Cybersecurity experts have uncovered a malware campaign that uses fake software installers to secretly install the Winos 4.0 malware framework on victims’ devices. The attackers disguise the malware as popular applications like LetsVPN and QQ Browser.
Catena Loader Used to Evade Detection
Researchers from Rapid7 first discovered the campaign in February 2025. It uses a tool called Catena, a memory-based loader that hides malicious code from antivirus software.
“Catena uses shellcode and switching logic to deliver malware like Winos 4.0 entirely in memory,” said researchers Anna Širokova and Ivan Feigl. “Once installed, the malware connects to attacker-controlled servers, many of which are located in Hong Kong, to receive further instructions.”
The attacks mainly target Chinese-speaking users and appear to be carefully planned by a skilled group.
Background on Winos 4.0
Winos 4.0, also known as ValleyRAT, was first reported in June 2024 by Trend Micro. It is linked to a group called Void Arachne, also known as Silver Fox. The malware is based on an older remote access trojan called Gh0st RAT and is written in C++.
Winos 4.0 includes a plugin system that allows it to steal data, open remote shells, and carry out distributed denial-of-service (DDoS) attacks. It has been spread in the past using fake VPN apps and gaming-related software installers.
How the Attack Works
The malware is delivered through trojanized NSIS installers that appear to be from trusted applications like QQ Browser. These installers are bundled with signed decoy apps and hidden shellcode inside “.ini” files. They also use reflective DLL injection to stay hidden on infected systems.
Once installed, the malware communicates with command-and-control (C2) servers over TCP port 18856 and HTTPS port 443. To remain persistent, it sets up scheduled tasks that run weeks after the initial infection.
Although the malware checks for Chinese language settings on the computer, it still runs even if those settings are not found. Researchers believe this feature is not fully finished and may be completed in future versions.
Recent Changes in Attack Tactics
In April 2025, Rapid7 noticed changes in the malware’s behavior. The NSIS installer began pretending to be a LetsVPN setup file. It runs a PowerShell command to disable Microsoft Defender by excluding all drives from scanning.
The installer also drops an executable that scans for running antivirus software, especially 360 Total Security by Qihoo 360. This executable is signed with an expired certificate that appears to be from Tencent Technology (Shenzhen).
The main purpose of this executable is to load a DLL file that contacts a C2 server (such as 134.122.204[.]11:18852 or 103.46.185[.]44:443) and installs Winos 4.0.
Advanced Threat Actor Behind the Campaign
Security researchers say the malware campaign is highly organized and targets specific regions. It uses fake installers, memory-resident code, and signed decoy software to avoid detection.
“This campaign shows a well-organized, regionally focused malware operation using trojanized NSIS installers to quietly drop the Winos 4.0 stager,” Rapid7 said. “It relies on memory-based payloads, reflective DLL loading, and signed decoys to avoid triggering antivirus alerts.”
The language targeting and server infrastructure suggest links to the Silver Fox advanced persistent threat (APT) group, with a continued focus on Chinese-speaking environments.
