Cybersecurity researchers have uncovered a malware campaign using fake software installers to spread a powerful remote access tool. Masquerading as popular apps like LetsVPN and QQ Browser, the campaign is delivering a stealthy malware framework known as Winos 4.0.
First flagged by Rapid7 in February 2025, the operation relies on a loader called Catena to slip past antivirus defenses. The malware runs entirely in memory, making it harder to detect and remove.
Here’s how it works:
- Trojan installers: Users download what looks like a legitimate app, like QQ Browser, but it’s a trojanized NSIS installer.
- Memory-only payloads: Once executed, the Catena loader uses embedded shellcode to stage malware directly in memory.
- C2 communication: The malware then connects to attacker-controlled servers—mostly in Hong Kong—over obscure TCP and HTTPS ports to receive commands or updates.
Researchers believe the campaign is targeting Chinese-speaking users, possibly as part of a broader surveillance or cyber-espionage effort.
Winos 4.0, also known as ValleyRAT, is based on the Gh0st RAT framework. Written in C++, it’s a plugin-powered tool that can:
- Steal data
- Open remote shell access
- Launch DDoS attacks
Earlier versions of the malware were spread via phishing campaigns that impersonated Taiwanese tax authorities and gaming platforms.
In April 2025, the attackers adjusted their tactics. The new installers—posing as LetsVPN—run PowerShell commands to disable Microsoft Defender on all drives. They also deploy additional files that:
- Take a snapshot of active processes
- Look for Chinese antivirus software like 360 Total Security
- Reflectively load DLLs to connect with command-and-control servers
One dropped executable was even signed with a certificate tied to Tencent, though it had expired. That trick is meant to make the malware seem more legitimate and avoid raising red flags.
Despite checking for Chinese language settings, the malware still runs even if the environment isn’t a match—possibly hinting at incomplete development.
Experts suspect this is the work of Silver Fox, a known advanced persistent threat (APT) group. The infrastructure, tactics, and regional focus all point to their involvement.
This campaign is another reminder: always verify the source before downloading software. Even apps that look familiar can be hiding dangerous payloads.
