Winos 4.0 Targets Chinese-Speaking Users
Winos 4.0 malware spreads through fake software installers mimicking tools like LetsVPN. First detected in February 2025, this campaign uses a loader called Catena. For example, it targets Chinese-speaking environments with precision. The attacks show careful planning by a skilled threat actor.
Deceptive NSIS Installers
The infection starts with trojanized NSIS installers posing as legitimate apps. These installers mimic tools like QQ Browser to trick users. Once executed, they deploy Winos 4.0 using memory-resident techniques. Consequently, this method helps the malware evade traditional antivirus tools.
Catena’s Role in the Attack
Catena uses embedded shellcode to stage payloads in memory. It connects to servers, often in Hong Kong, for instructions. For instance, it communicates over TCP port 18856 and HTTPS port 443. This stealthy approach ensures the malware remains undetected during execution.
Advanced Features of Winos 4.0
Winos 4.0, also known as ValleyRAT, builds on the Gh0st RAT framework. Written in C++, it uses a plugin system for data theft. Additionally, it enables remote shell access and launches DDoS attacks. The malware targets systems with Chinese language settings primarily.
Evasion and Persistence Tactics
The malware adds Microsoft Defender exclusions for all drives. It also checks for antivirus processes before proceeding. For example, it uses signed decoy apps with expired certificates to appear legitimate. Scheduled tasks ensure persistence weeks after the initial infection.
Campaign Evolution in 2025
The campaign evolved by April 2025 with tactical shifts. Attackers adjusted Catena’s execution chain to improve evasion. A report notes their use of phishing emails, like fake tax notices in Taiwan. Therefore, the threat actor adapts to maximize impact.
Preventing Winos 4.0 Malware Attacks
To stop Winos 4.0, verify software sources before installing. For example, download apps only from official websites. Use updated antivirus software to detect trojanized installers and enable two-factor authentication. Additionally, train users to spot phishing emails. These steps help protect against malware and data theft.
Sleep well, we got you covered.
