Cybersecurity experts have uncovered a new malware campaign that uses fake software installers to spread the Winos 4.0 framework, a powerful remote access tool. The campaign, active throughout 2025, mainly targets Chinese-speaking users.
Researchers from Rapid7 first identified the campaign in February 2025. It uses a multi-stage loader called Catena to deliver Winos 4.0 directly into system memory, making it harder for traditional antivirus programs to detect.
“Catena uses shellcode and smart configuration switching to keep the payload hidden and memory-resident,” said researchers Anna Širokova and Ivan Feigl. “Once installed, the malware contacts attacker-controlled servers—mostly located in Hong Kong—for further instructions or more malware.”
The campaign uses fake installers for popular applications like QQ Browser and LetsVPN to trick users. These installers are built using the NSIS (Nullsoft Scriptable Install System) framework and include signed decoy apps to appear legitimate. Embedded files and reflective DLL injection techniques help the malware remain stealthy on infected systems.
Winos 4.0, also known as ValleyRAT, was first reported in June 2024 by Trend Micro. It is based on the well-known Gh0st RAT and includes a plugin-based system for data theft, remote shell access, and launching distributed denial-of-service (DDoS) attacks.
Rapid7 links the malware to a threat group known as Void Arachne or Silver Fox. Past attacks by this group have used gaming-related software and phishing emails, including one campaign targeting Taiwan using fake messages from the National Taxation Bureau.
In April 2025, researchers noted a shift in tactics. The latest version of the attack chain includes new steps to avoid antivirus detection. For example, a fake LetsVPN installer now runs a PowerShell command that adds Microsoft Defender exclusions for every drive (C:\ through Z:), reducing the chance of detection.
It also drops a signed executable that scans for running antivirus tools, such as 360 Total Security. The file is signed with an expired VeriSign certificate previously issued to Tencent Technology (Shenzhen), lending an air of legitimacy.
This executable then reflectively loads a malicious DLL, which connects to a command-and-control (C2) server using either TCP port 18852 or HTTPS port 443. From there, the Winos 4.0 malware is downloaded and launched.
The malware sets up persistence by registering scheduled tasks that execute weeks after the original infection. Although Winos 4.0 includes a language check for Chinese system settings, the malware still runs even if the check fails—suggesting this feature may be unfinished.
“This is a well-organized and regionally focused operation,” said the Rapid7 team. “By using memory-resident techniques, reflective DLL loading, and signed decoy software, the attackers aim to avoid detection. The use of Chinese-language lures and infrastructure links suggests ties to the Silver Fox APT group.”
