Researchers specializing in cybersecurity have recently exposed a malware campaign that utilizes counterfeit software installers masquerading as popular tools, such as LetsVPN and QQ Browser, to deliver the Winos 4.0 framework.

This campaign, initially detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident loader known as Catena.

“Catena utilizes embedded shellcode and configuration switching logic to stage payloads like Winos 4.0 entirely in memory, thereby evading traditional antivirus tools,” security researchers Anna Širokova and Ivan Feigl stated. “Once installed, it quietly connects to attacker-controlled servers – primarily hosted in Hong Kong – to receive follow-up instructions or additional malware.”

The attacks, similar to those that have deployed Winos 4.0 in the past, appear to focus specifically on Chinese-speaking environments, with the cybersecurity company noting the “careful, long-term planning” by a highly capable threat actor.

Winos 4.0, also known as ValleyRAT, was initially publicly documented by Trend Micro in June 2024 as being used in attacks targeting Chinese-speaking users through malicious Windows Installer (MSI) files for VPN apps. This activity has been attributed to a threat cluster tracked as Void Arachne, also referred to as Silver Fox.

Subsequent campaigns distributing the malware have leveraged gaming-related applications, such as installation tools, speed boosters, and optimization utilities, as lures to trick users into installing it. Another attack wave detailed in February 2025 targeted entities in Taiwan via phishing emails purportedly from the National Taxation Bureau.

Built atop the foundations of a known remote access trojan called Gh0st RAT, Winos 4.0 is an advanced malicious framework written in C++ that utilizes a plugin-based system to harvest data, provide remote shell access, and launch distributed denial-of-service (DDoS) attacks.

QQBrowser-Based Infection Flow Observed in February 2025

Rapid7 stated that all the artifacts flagged in February 2025 relied on NSIS installers bundled with signed decoy apps, shellcode embedded in “.ini” files, and reflective DLL injection to covertly maintain persistence on infected hosts and avoid detection. The entire infection chain has been given the moniker Catena.

“The campaign has so far been active throughout 2025, showing a consistent infection chain with some tactical adjustments – pointing to a capable and adaptive threat actor,” the researchers said.

The starting point is a trojanized NSIS installer impersonating an installer for QQ Browser, a Chromium-based web browser developed by Tencent, designed to deliver Winos 4.0 using Catena


Source Link