New Malware Campaign Uses Fake Software Installers to Deploy Winos 4.0 Framework

Researchers Uncover Stealthy Catena Loader Campaign Distributing Winos 4.0 Malware in Chinese-Speaking Regions

Cybersecurity experts at Rapid7 have uncovered a sophisticated malware campaign that uses counterfeit installers for popular applications such as LetsVPN and QQ Browser to deliver the Winos 4.0 remote access framework. The campaign, active since at least February 2025, leverages a multi-stage, memory-resident loader known as Catena to execute its payloads while evading traditional antivirus solutions.

According to Rapid7 researchers Anna Širokova and Ivan Feigl, Catena executes embedded shellcode and configuration logic to load the Winos 4.0 framework directly into memory. Once active, the malware communicates with command-and-control (C2) servers primarily located in Hong Kong, receiving further instructions or additional malicious components.

Regional Focus and Long-Term Strategy

The campaign appears highly targeted toward Chinese-speaking users, reflecting what researchers describe as deliberate, long-term planning by a skilled and persistent threat actor. The underlying malware, Winos 4.0 (also known as ValleyRAT), was first documented in 2024 by Trend Micro and has been linked to the Void Arachne (aka Silver Fox) threat cluster.

Past campaigns have disguised the malware as VPN tools, gaming utilities, and system optimizers, tricking users into unknowingly launching the infection chain. In early 2025, similar phishing attacks impersonated Taiwan’s National Taxation Bureau.

Technical Overview

Winos 4.0 is a C++-based malware framework built upon Gh0st RAT, featuring a modular plugin architecture. It supports:

• Data harvesting

• Remote shell access

• DDoS capabilities

The infection begins with trojanized NSIS installers, which include:

• A signed decoy app

• Shellcode embedded in .ini files

• Reflective DLL injection

This infection process, codenamed Catena, ensures malware is stealthily loaded into memory, maintaining persistence while avoiding static detection.

Infection Flow: February to April 2025

• In February 2025, Rapid7 observed Catena distributing Winos 4.0 via fake QQ Browser installers.

• The malware communicated via TCP port 18856 and HTTPS port 443 with hard-coded C2 servers.

• Scheduled tasks delayed execution by weeks post-compromise, hinting at long-term infection strategies.

• Although the malware checks for Chinese language settings, it continues execution regardless, suggesting an unfinished targeting filter.

By April 2025, the attackers updated their tactics:

• A new LetsVPN-based NSIS installer was used.

• It disabled Microsoft Defender via PowerShell by adding exclusions for all drives (C:\–Z:).

• It deployed a signed executable with an expired VeriSign certificate (previously registered to Tencent Technology).

• This binary checked for antivirus tools like 360 Total Security, then reflectively loaded a DLL to initiate communication with C2 endpoints such as:

  • 134.122.204[.]11:18852

  • 103.46.185[.]44:443

Attribution and Threat Assessment

Researchers believe the campaign is the work of Void Arachne / Silver Fox APT, citing overlaps in infrastructure, targeting, and malware design. The operation exhibits professional-level planning, regional targeting, and evasive tactics that include:

• Memory-resident execution

• Reflective DLL loading

• Use of legit-signed decoy software

Conclusion

This campaign illustrates an advanced and targeted operation leveraging fake software installers and modular, stealthy loaders to compromise systems in Chinese-speaking environments. As the Catena-Winos 4.0 toolset continues to evolve, researchers emphasize the importance of user awareness, system monitoring, and proactive malware detection strategies to defend against similar threats.