Cyber security researchers have revealed a malware campaign that uses fake software installers, which introduces popular devices such as letsvpn and QQ browser. Winos 4.0 framework.
The campaign found for the first time by Rapid 7 in February 2025 includes the use of a multi-phase, memory-dwellers called Kaitena.
“Kaitena uses embedded shellcode and configuration switching logic, which completely takes the payload on the platform like a perfectly offergos 4.0 in memory, develops traditional antivirus tools,” said security researchers Anna širkova and Ivan Figil. “Once established, it quietly connects to the attacker-controlled server-mostly hosted in Hong Kong-to receive non-recurrent instructions or additional malware.”
In the past, the attacks like the Winos 4.0 are seen focusing on the Chinese-moving environment, especially calling a “careful, long-term plan” by a very competent danger actor with a cyber security company.
The WINOS 4.0 (aka Valleyat) was first documented in public in June 2024 by Trend Micro, as used in target attacks for Chinese speaking users through malicious Windows Installer (MSI) files for VPN apps. The activity is attributed to a threat cluster, which tracks as zero arachin, also known as Silver Fox.
Subsequent campaigns have leveraged gaming-related applications such as installation tools, speed boosters, and optimization utilities, which are as lures to trick users in installing it. In February 2025, another attack wave targeted the target institutions in Taiwan via fishing email, which was done to be from the National Taxation Bureau.
Built above the foundation of a known remote access trojan called GH0ST RAT, is an advanced malicious structure written in Winos 4.0 C ++ that uses data to the data, uses a plugin-based system for the crop, provides remote shell access, and launching the DANIL-Off-Services (DDOS).
|
| Qqbrowser-based infection flow seen in February 2025 |
Rapid7 stated that in February 2025, all the artifacts green rely on NSIS Installors, bound with signed decoy apps, “the entire transition chain has been given Monikar Katna.
Researchers said, “The campaign has been active in 2025 so far, showing a consistent transition chain with some strategic adjustment – pointing to a competent and adaptive threats,” the researchers said.
The initial point is a tragedy NSIS installer that applies an installer to the cucu browser, a chromium-based web browser developed by the tenant, designed to distribute the Vinos 4.0 using Ketena. The malware communicates with hard-coded command-and-control (C2) infrastructure on TCP Port 18856 and HTTPS Port 443.
|
| In April 2025 from LetsVPN Installer to Winos 4.0 |
The firmness on the host is obtained by registering the prescribed functions that are executed weeks after the initial agreement. While the Malware system offers a clear check to see the Chinese language settings on the system, it still proceeds with execution, even if it does not.
This indicates that this is an incomplete feature and something that is expected to be implemented in subsequent repetitions of malware. Rapid 7 said that it was identified a “strategic change” in April 2025, which not only replaced some elements of the Katena execution chain, but also included features to detect antivirus.
In the sequence of the revived attack, the NSIS installer disrupts itself as a setup file for letsvpn and runs a powerrashell command that adds microsoft defender exclusion to all drives (C: \ to z: \). It then leaves the additional payload, including an executable that takes a snapshot of processes and checks for 360 total safety related procedures, an antivirus product developed by Chinese seller Kihu 360.
The binary is signed with a finished certificate issued by Verisign and allegedly belongs to the Tencent Technology (Shenzhen). It was valid from 2018-10-11 to 2020-02-02. The primary responsibility of executable is to reflect a DLL file, which in turn connects the C2 server (“134.122.204 (” 134.122.204[.]11: 18852 “or” 103.46.185[.]44: 443 “) to download and execute Winos 4.0.
Researchers said, “This campaign reflects a well organized, regional -focused malware operation, which quietly leaves the Vinos 4.0 stagger using the Troined NSIS installors,” the researchers said.
“This memory-dwellers bends heavily on the payload, contemplative DLL loading, and decoy software, which is signed with a legal certificate to avoid increasing the alarm. With respect to the infrastructure overlaps and language-based targeting signal indication, silver fox opt, with the possibility of activity in the environment.”
