Catena Campaign: Malware Hidden in Fake VPN & Browser Installers Unleashes Winos 40

Listen to this Post

Featured Image

Inside a Sophisticated Malware Campaign Targeting Chinese-Speaking Users

In early 2025, cybersecurity experts uncovered a covert malware campaign leveraging fake software installers disguised as popular applications like LetsVPN and QQ Browser to secretly deploy a powerful malware framework called Winos 4.0. First identified by Rapid7, this operation involves a complex, memory-resident loader known as Catena, which stages malicious payloads completely in memory—making it difficult for traditional antivirus solutions to detect.

This campaign is primarily focused on Chinese-speaking environments and uses NSIS (Nullsoft Scriptable Install System) installers that appear legitimate but deliver malicious code through various stealth tactics. These include signed decoy applications, shellcode hidden in configuration files, and reflective DLL injection—a technique that loads malicious DLLs directly into memory without leaving a clear trace.

The malware, known as Winos 4.0 (also tracked as ValleyRAT), is based on the infamous Gh0st RAT and is enhanced with a plugin-based structure that enables capabilities such as data theft, remote shell access, and DDoS attacks. Despite being regionally targeted, it continues execution even when deployed on non-Chinese systems, suggesting the malware is still evolving.

Notably, the campaign uses a two-phase strategy: first deploying Catena through a trojanized installer, then establishing persistence by registering scheduled tasks set to activate weeks later. In one variant discovered in April 2025, the malware even manipulates Microsoft Defender settings using PowerShell to create drive-wide antivirus exclusions, showcasing advanced evasion techniques.

Researchers from Rapid7 observed that this operation is not only sophisticated but adaptable, with each iteration introducing new techniques for avoiding detection. With ties to the Void Arachne (a.k.a. Silver Fox) threat group, and infrastructure mostly hosted in Hong Kong, this malware campaign reflects meticulous planning and technical acumen.

🧠 What Undercode Say: Deep Dive Analysis

This campaign reveals a multi-layered, stealth-focused strategy that sets a dangerous precedent in modern cyber-espionage operations. Here are the major takeaways based on current intelligence and analysis:

1. NSIS Installers Weaponized for Stealth

Catena’s use of NSIS-based installers camouflaged as QQ Browser and LetsVPN is both clever and effective. These installers are signed with expired but legitimate certificates, lending them a veneer of authenticity that easily bypasses cursory scrutiny.

2. Memory-Resident Payloads & Shellcode Injection

The malware leverages shellcode embedded in seemingly harmless .ini files, injecting them directly into memory. This minimizes disk activity, helping it evade endpoint protection platforms that rely on file-based detection.

3. Reflective DLL Loading

By reflectively loading malicious DLLs, Catena avoids creating traditional file system artifacts. This method is frequently associated with advanced persistent threats (APTs) and underscores the campaign’s sophistication.

4. Evolving Evasion Techniques

The latest iteration includes PowerShell scripts that disable antivirus defenses by creating exclusions across all local drives. Additionally, the malware checks for known antivirus processes like 360 Total Security, reinforcing its goal to remain undetected.

5. Hardcoded C2 Infrastructure

C2 servers operating on uncommon TCP ports (like 18856 and 18852) reduce the risk of being flagged by standard firewall policies. Communication over HTTPS adds an extra layer of obfuscation.

6. Regional Targeting With Global Implications

Despite its current focus on Chinese-speaking users, Winos

7. Signs of an Organized Threat Group

Indicators suggest this campaign is the work of Void Arachne/Silver Fox, a highly coordinated APT group. Their infrastructure reuse, consistency in tactics, and target focus reflect long-term planning and resource commitment.

8. Plugin Architecture Enables Versatility

Built in C++, Winos 4.0 supports plugin modules for various tasks—data exfiltration, remote access, DDoS. This modularity allows attackers to tailor payloads dynamically, based on the victim’s profile.

9. Delayed Persistence for Maximum Concealment

Scheduling malware execution weeks after the initial infection helps throw off investigators and automated sandbox environments that monitor immediate behavior post-installation.

10. Legitimate App Mimicry Enhances Trust

By mimicking trusted apps like QQ Browser and LetsVPN, attackers exploit user familiarity to increase install rates. Combined with decoy behavior (legit-looking interfaces), it lowers suspicion among targets.

This campaign exemplifies the kind of stealth, persistence, and regional tailoring that marks a new era in cyber warfare—where malware is engineered more like a ghost than a brute force weapon.

āœ… Fact Checker Results šŸ”

Claim Validity: Verified through Rapid7’s February and April 2025 threat reports.
Attribution Accuracy: Strong evidence links the campaign to the Silver Fox APT group.
Technique Sophistication: Confirms use of advanced methods like reflective DLL injection and memory-resident payloads.

šŸ”® Prediction: What’s Next for Winos 4.0?

The Winos 4.0 framework is evolving rapidly, with clear signs that the malware is still under active development. We anticipate future versions will:

Implement stricter regional filtering to avoid detection outside target zones.

Introduce more robust encryption for C2 traffic.

Expand targeting to include other East Asian nations such as South Korea or Japan.

Given its modular architecture and stealth features, Winos 4.0 is poised to become a major threat in the APT landscape throughout 2025 and beyond.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

šŸ’¬ Whatsapp | šŸ’¬ Telegram