A highly advanced malware campaign has emerged, exploiting fake software installers disguised as popular applications like VPN tools and QQBrowser to deploy the Winos 4.0 malware. The campaign represents a significant cybersecurity threat, evolving the use of memory-resident malware to bypass traditional antivirus defenses and maintain a low detection profile.
The Rise of the “Catena Loader” Infection Chain
The attack utilizes a complex infection mechanism known as the Catena loader, a modular structure designed to infect systems without leaving traces on disk. Unlike typical malware, which relies on file-based payloads, the Catena loader operates entirely within system memory, making it much harder to detect by conventional security tools.
Security researchers first identified this threat in February 2025 during a Managed Detection and Response (MDR) investigation. The campaign was initially discovered through suspicious activity involving a trojanized NSIS installer masquerading as a QQBrowser setup. As the investigation continued, analysts observed that the campaign had evolved significantly, with attackers adapting their methods while retaining core components of the attack infrastructure.
Targeted Regional Focus
The campaign appears to primarily target Chinese-speaking regions, with infrastructure largely based in Hong Kong. This regional focus is reinforced by the malware’s ability to check for Chinese language settings before initiating the attack, indicating that the threat actors are deliberately targeting specific environments.
Despite this regional focus, the attack is highly sophisticated, suggesting that it is the work of a well-resourced threat group with considerable technical capabilities. Although the attackers have not cast a wide net, the complexity of the campaign suggests long-term planning and a high level of expertise.
Infection Process: The Catena Loader in Action
The Catena loader begins its attack with trojanized NSIS installers, disguised as legitimate applications such as LetsVPN, Telegram, or Chrome installers. These fake installers contain valid digital certificates and decoy applications to appear legitimate, making it more difficult for users to identify the threat.
Once the installer is executed, it triggers a multi-stage infection process. The NSIS script first executes PowerShell commands that add Microsoft Defender exclusions across the system, effectively disabling endpoint protection before proceeding with the malware’s deployment.
Next, the installer stages the malicious components in various system directories, placing first-stage loaders and shellcode in the %LOCALAPPDATA% folder, while second-stage payloads are placed in %APPDATA%\TrustAsia.
The most alarming part of this attack chain is the use of reflective DLL injection techniques, specifically the Shellcode Reflective DLL Injection (sRDI) framework, which allows the malware to run entirely in memory without creating files on disk. Configuration files such as Config.ini and Config2.ini, though seemingly harmless, actually contain binary blobs that embed the malicious shellcode and DLLs necessary to execute the attack.
Sophisticated Payload Switching and Persistence
The malware’s operation is further complicated by a mutex-based decision system that selects the payload based on runtime conditions. Hardcoded mutexes like VJANCAVESU are used to control which payload is deployed, depending on the infection stage and system state.
The attack chain communicates with command-and-control (C2) servers hosted at IP addresses 134.122.204.11:18852 and 103.46.185.44:443, from which the final payload—the Winos 4.0 stager—is delivered. This stager establishes a persistent communication channel with the attacker and is designed to survive system reboots and security interventions.
In addition to the stager, the malware sets up multiple redundancy mechanisms, including scheduled tasks and process-monitoring scripts. These functions ensure that the malware remains active even after attempts to remove it or restart the infected system.
Ongoing Threat and Potential Impact
This malware campaign demonstrates a highly advanced and evolving form of cyberattack that goes beyond simple file-based malware. By utilizing memory-based techniques and advanced infection chains, the attackers can remain undetected for extended periods and establish persistent access to compromised systems.
With its focus on specific regional targets and its use of sophisticated methods, this campaign poses a significant threat to both individual users and organizations. The involvement of a capable threat group and the complexity of the attack suggest that the actors behind the campaign have substantial resources at their disposal.
