A highly sophisticated malware campaign leveraging Winos 4.0, a memory-resident stager, has been uncovered by cybersecurity firm Rapid7. The campaign primarily targets users through fake software installers, such as LetsVPN and QQBrowser, and has been active throughout 2025. The malware is delivered through a multi-layered infection chain known as the Catena loader, making it difficult to detect with traditional antivirus tools.
Trojanized Installers and Infection Process
The campaign starts with seemingly legitimate NSIS installers, which drop malicious payloads entirely in memory, bypassing typical antivirus defenses. These trojanized installers are used to inject malicious code through signed executables, shellcode-embedded INI files, and reflective DLLs. In one notable instance in February 2025, Rapid7’s Managed Detection and Response (MDR) team tracked an infection involving a QQBrowser installer. The malware created an Axialis directory in the victim’s %APPDATA% folder, where it housed scripts and DLLs designed to switch payloads between two configuration files using mutex-based logic.
By April 2025, the tactics evolved, with a LetsVPN installer using direct DLL invocation via regsvr32.exe instead of PowerShell scripts, a move likely intended to avoid detection.
In-Memory Execution and Persistence
Once the Winos 4.0 malware is executed, it establishes communication with attacker-controlled servers using TCP port 18852 or HTTPS port 443 to download additional payloads. To maintain persistence, the malware schedules tasks and uses watchdog scripts like monitor.bat to restart the malware if it is terminated.
The malware is also designed to check for Chinese language settings, although this filter is not strictly enforced, suggesting that the primary targets are Chinese-speaking regions.
Advanced Techniques for Stealth
Winos 4.0 stands out for its technical sophistication, particularly its use of Shellcode Reflective DLL Injection (sRDI), which allows it to run entirely in memory. This reduces its footprint on disk and helps it avoid detection by endpoint security tools. The malware also employs hardcoded mutexes, such as “VJANCAVESU” and “zhuxianlu,” to control payload selection. These mutexes manage tasks like disabling Microsoft Defender and scanning for processes like Telegram.exe to alter the malware’s behavior.
Infrastructure analysis revealed several consistent Command and Control (C2) servers, such as 134.122.204.11:18852 and 103.46.185.44:443, both distributing identical Winos 4.0 stagers. Shodan scans confirmed these servers were distributing the same payloads across multiple IPs, further indicating a large-scale operation.
Regional Focus and Development Origins
The technical details of the malware, including debug metadata referencing Chinese development paths, point to a regional focus on Chinese-speaking environments. This, combined with the use of infrastructure hosted in Hong Kong, suggests that the campaign is likely targeting China or Chinese-speaking regions.
Ongoing Monitoring and Mitigation
Rapid7 continues to monitor this evolving threat, deploying detection techniques to counter the campaign. The attackers’ use of legitimate software facades, memory-based execution, and advanced evasion techniques indicates a highly capable threat group, potentially linked to the Silver Fox APT, a known cyber espionage group.
