Cybersecurity experts have uncovered a dangerous malware framework called Winos 4.0, which is being distributed through fake gaming optimization tools, speed boosters, and installation utilities. Designed with advanced modular capabilities, the malware allows attackers to control infected systems, execute further attacks, and steal sensitive data.
Built on the foundation of Gh0st RAT, Winos 4.0 introduces new features that enhance its functionality and stability. The malware has been identified in campaigns tracked as Void Arachne and Silver Fox, with threat actors primarily targeting Chinese-speaking users.
Using deceptive tactics such as black hat Search Engine Optimization (SEO), social media, and messaging platforms like Telegram, attackers lure victims into downloading malicious applications.
Once a user runs one of these fake gaming-related apps, a multi-step infection process begins. It starts with downloading a disguised BMP file from a remote server, which is decoded into a dynamic-link library (DLL).
This DLL sets up the environment for further infection by retrieving additional payloads, including executables and more DLL files from the same server.
One notable component, named “学籍系统” (translated as Student Registration System), hints that the attackers might also be targeting educational institutions. The malware progresses to load more modules, communicate with a command-and-control (C2) server, and retrieve additional components that enable various malicious activities.
The third stage of infection downloads encoded data and a DLL responsible for gathering system details, capturing clipboard content, and extracting information from cryptocurrency wallet extensions like OKX Wallet and MetaMask. It also allows the malware to act as a backdoor, awaiting further instructions from the attacker.
In addition, Winos 4.0 supports plugins that enhance its capabilities, such as capturing screenshots and uploading sensitive files from compromised systems. Its similarity to advanced tools like Cobalt Strike makes it a powerful weapon in the hands of threat actors, giving them extensive control over infected machines.
This discovery aligns with broader trends of malicious campaigns exploiting the gaming community. Another recent campaign, uncovered by researchers, involves fake websites mimicking gambling-related games to deliver malware called WrnRAT.
This malware steals information and grants attackers remote access, targeting gambling game users to capture screenshots and potentially cause further financial losses.
Gamers and users should exercise caution by avoiding downloads from unofficial or suspicious sources, including third-party app stores or links shared on social media. Installing trusted antivirus software and keeping systems updated with the latest patches can provide an additional layer of security.