Cybersecurity researchers have uncovered a malware campaign using fake software installers to spread a powerful remote access tool. Masquerading as popular apps like LetsVPN and QQ Browser, the campaign is delivering a stealthy malware framework known as Winos 4.0.

First flagged by Rapid7 in February 2025, the operation relies on a loader called Catena to slip past antivirus defenses. The malware runs entirely in memory, making it harder to detect and remove.

Here’s how it works:

• Trojan installers: Users download what looks like a legitimate app, like QQ Browser, but it’s a trojanized NSIS installer.
  
• Memory-only payloads: Once executed, the Catena loader uses embedded shellcode to stage malware directly in memory.
  
• C2 communication: The malware then connects to attacker-controlled servers—mostly in Hong Kong—over obscure TCP and HTTPS ports to receive commands or updates.

Researchers believe the campaign is targeting Chinese-speaking users, possibly as part of a broader surveillance or cyber-espionage effort.

Winos 4.0, also known as ValleyRAT, is based on the Gh0st RAT framework. Written in C++, it’s a plugin-powered tool that can:

• Steal data
  
• Open remote shell access
  
• Launch DDoS attacks

Earlier versions of the malware were spread via phishing campaigns that impersonated Taiwanese tax authorities and gaming platforms.

In April 2025, the attackers adjusted their tactics. The new installers—posing as LetsVPN—run PowerShell commands to disable Microsoft Defender on all drives. They also deploy additional files that:

• Take a snapshot of active processes
  
• Look for Chinese antivirus software like 360 Total Security
  
• Reflectively load DLLs to connect with command-and-control servers

One dropped executable was even signed with a certificate tied to Tencent, though it had expired. That trick is meant to make the malware seem more legitimate and avoid raising red flags.

Despite checking for Chinese language settings, the malware still runs even if the environment isn’t a match—possibly hinting at incomplete development.

Experts suspect this is the work of Silver Fox, a known advanced persistent threat (APT) group. The infrastructure, tactics, and regional focus all point to their involvement.

This campaign is another reminder: always verify the source before downloading software. Even apps that look familiar can be hiding dangerous payloads.

Top U.S. banking associations are pressing the Securities and Exchange Commission to roll back a rule that forces public companies to disclose major cybersecurity breaches within four business days.

In a letter sent May 22, five major financial groups—including the American Bankers Association and the Securities Industry and Financial Markets Association—argued the rule clashes with existing laws aimed at protecting critical infrastructure and victims’ privacy.

At the center of the dispute is Item 1.05 of Form 8-K, a regulation rolled out in July 2023 under the SEC’s broader Cybersecurity Risk Management rules. It requires companies to publicly reveal “material” cyber incidents, like hacks or data breaches, on a strict deadline.

The banking industry says that’s a problem. According to the letter, the rule can disrupt how firms respond to attacks, interfere with law enforcement, and blur the lines between what must be shared publicly and what’s optional.

One key concern: threat actors may be using these public disclosures to pressure companies during ransomware attacks. The groups say that puts victims in an even tougher spot and could drive up insurance costs or legal risks.

There’s also a worry that the rule could have a chilling effect internally. If every incident might go public fast, employees could hesitate to flag problems or share sensitive details that are critical to stopping a breach.

Instead of public disclosures, the associations want the SEC to scrap the rule and stick with current frameworks that let companies alert investors without tipping off attackers or exposing vulnerabilities.

Their argument echoes growing pushback against overlapping federal cybersecurity rules. For example, the Cybersecurity and Infrastructure Security Agency is developing new reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). That proposal would give companies 72 hours to report major incidents—another tight window critics say could swamp firms with paperwork during a crisis.

The financial sector isn’t arguing against transparency. But it’s calling for more realistic timelines and coordination between regulators to avoid chaos when every second counts.

A cyberattack on Cellcom, a regional telecommunications provider based in Wisconsin, has disrupted phone and text services for thousands of customers across Wisconsin and Michigan’s Upper Peninsula since May 14. The company confirmed the incident on May 20, attributing the outage to a targeted cyberattack that affected its voice and SMS systems.

In a letter and accompanying video message, Cellcom CEO Brighid Riordan stated that the attack was confined to a specific segment of the network, separate from where sensitive customer data is stored. “We have no evidence that personal information related to you, your name, your addresses, your financial information, is impacted by this event,” Riordan assured customers.

Upon detecting the breach, Cellcom activated its incident response protocols, which included engaging external cybersecurity experts, notifying the FBI and Wisconsin state authorities, and initiating a comprehensive recovery strategy.

As of May 22, some services have been partially restored. Cellcom users reported the ability to make calls to other networks, although receiving calls from non-Cellcom numbers remains inconsistent. The company anticipates full service restoration by the end of the week but has not provided a specific timeline.

The outage has significantly impacted customers, including small business owners like Andy Tobias, whose window cleaning business suffered due to communication disruptions.

Cybersecurity experts emphasize that such incidents highlight the vulnerability of critical infrastructure. Dr. Tyler Baeten, an IT instructor at Fox Valley Technical College, noted, “This isn’t a Cellcom issue; this is part of the growing trend nationwide, where we’re seeing our infrastructure being targeted.”

To safeguard personal information, experts recommend using end-to-end encrypted communication platforms and freezing credit with major bureaus—Experian, Equifax, and TransUnion—to prevent identity theft.

Cellcom has pledged to compensate customers for the downtime, though specific details have not been disclosed. The company continues to work diligently to restore full services and has committed to transparent communication throughout the recovery process.