• Cyber Syrup
  • Posts
  • Winos 4.0 Malware Campaign Masquerades as Popular Software Installers

Winos 4.0 Malware Campaign Masquerades as Popular Software Installers

Cybersecurity researchers from Rapid7 have uncovered a stealthy malware campaign that uses fake software installers

May 26, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Try Artisan’s All-in-one Outbound Sales Platform & AI BDR

Ava automates your entire outbound demand generation so you can get leads delivered to your inbox on autopilot. She operates within the Artisan platform, which consolidates every tool you need for outbound:

  • 300M+ High-Quality B2B Prospects, including E-Commerce and Local Business Leads

  • Automated Lead Enrichment With 10+ Data Sources

  • Full Email Deliverability Management

  • Multi-Channel Outreach Across Email & LinkedIn

  • Human-Level Personalization

Winos 4.0 Malware Campaign Masquerades as Popular Software Installers

Cybersecurity researchers from Rapid7 have uncovered a stealthy malware campaign that uses fake software installers impersonating widely-used tools—such as LetsVPN and QQ Browser—to deliver a potent malware framework known as Winos 4.0, also referred to as ValleyRAT.

The campaign, first detected in February 2025, employs a multi-stage memory-resident loader called Catena to execute the malware entirely in memory. This sophisticated technique allows the threat to evade traditional antivirus detection and maintain covert persistence on infected systems.

How the Attack Works

The infection chain begins with a trojanized NSIS (Nullsoft Scriptable Install System) installer. These installers are disguised as legitimate applications but are rigged to initiate the Catena loader.

Key Characteristics of the Catena Loader:

  • Embedded shellcode and configuration logic

  • Memory-resident execution

  • Reflective DLL injection

  • Use of decoy software with expired digital certificates

Once executed, Catena quietly downloads and stages Winos 4.0 from attacker-controlled servers, mostly hosted in Hong Kong. The malware communicates over TCP port 18856 and HTTPS port 443, ensuring encrypted and stealthy C2 (command-and-control) communication.

What Is Winos 4.0?

Winos 4.0 is a modular remote access trojan (RAT) built in C++. Based on the legacy Gh0st RAT, it includes modern capabilities such as:

  • Remote shell access

  • Data harvesting and file exfiltration

  • Distributed denial-of-service (DDoS) capabilities

  • Plugin support for extensibility

  • Keylogging and screen capturing

Originally documented by Trend Micro in 2024, Winos 4.0 has since been associated with a threat cluster known as Void Arachne or Silver Fox, which frequently targets Chinese-speaking environments.

Evasion and Persistence Techniques

The malware employs several advanced methods to avoid detection and maintain persistence, including:

  • Use of expired yet valid-looking digital certificates (e.g., a certificate issued to Tencent Technology)

  • Antivirus evasion via PowerShell scripts, which add Microsoft Defender exclusions across all drives

  • Persistence through scheduled tasks that delay malware activation by weeks

  • Checks for antivirus processes, such as 360 Total Security, and adjusts behavior accordingly

Notably, the malware includes a check for Chinese language settings—suggesting targeted attacks—although it continues execution regardless of locale. This indicates future versions may implement stricter regional targeting.

Tactical Evolution in 2025

Rapid7 researchers observed a strategic shift in April 2025, indicating ongoing development and refinement by the threat actors:

  • The fake installer now mimics LetsVPN

  • It executes a PowerShell script to disable security protections

  • A new binary captures process snapshots to detect AV software

  • The payload is reflectively loaded, minimizing file traces

The entire chain showcases tactical agility and operational sophistication—hallmarks of a capable advanced persistent threat (APT) group.

Threat Actor Attribution

While definitive attribution remains elusive, there are strong indicators linking the campaign to the Silver Fox APT, based on:

  • Language-based targeting

  • Overlapping C2 infrastructure

  • Use of signed decoy apps and reflective loading techniques

"This campaign shows a well-organized, regionally focused malware operation using trojanized NSIS installers to quietly drop the Winos 4.0 stager," said Rapid7 researchers Anna Širokova and Ivan Feigl.

Implications and Recommendations

This campaign highlights the growing trend of stealthy, regionally-targeted attacks using legitimate-looking software to bypass user suspicion and evade endpoint security tools.

Key Recommendations:

  • Verify the authenticity of downloaded installers, especially for VPNs and browsers

  • Implement memory-scanning EDR tools capable of detecting reflective DLL injections

  • Harden PowerShell policies and disable script execution where not needed

  • Monitor for unsanctioned scheduled tasks and Defender exclusion changes

  • Educate users on the risks of downloading software from unofficial sources

Conclusion

The Winos 4.0 campaign is a vivid example of how cyber threat actors are adapting to bypass modern defenses. By disguising malware as trusted applications and leveraging in-memory execution, the threat actors behind Catena and Winos 4.0 demonstrate both technical skill and strategic planning.

As malware becomes increasingly modular and evasive, threat detection must evolve in parallel, with an emphasis on behavioral analysis, memory inspection, and cross-platform threat intelligence sharing.