Threat actors are leveraging fake installers for popular software like LetsVPN and QQ Browser to deploy a malware framework known as Winos 4.0, researchers at Rapid7 said in a new report.
First detected in February 2025, the campaign uses a stealthy, memory-resident loader dubbed Catena, which stages payloads entirely in memory to evade traditional antivirus tools. Catena uses embedded shellcode and configuration switching logic to stage payloads like Winos 4.0 entirely in memory. It then connects to attacker-controlled servers, mostly hosted in Hong Kong, for further instructions or malware.
The attacks focus on Chinese-speaking environments, a sign of Void Arachne (aka Silver Fox), the threat cluster behind Winos 4.0. First identified by Trend Micro in mid-2024, Winos 4.0 is a modular framework built atop the infamous Gh0st RAT. Written in C++, it supports remote access, data harvesting, and even DDoS attacks.
The infection chain begins with a trojanized NSIS installer impersonating QQ Browser or LetsVPN. The installers use reflective DLL injection and shellcode hidden in .ini files, often bundled with expired but legitimate-looking digital certificates. In one instance, a malicious binary signed with an outdated VeriSign certificate falsely attributed to Tencent was used to load Winos 4.0.
The threat actors shifted tactics in April 2025, when they began using PowerShell to disable Microsoft Defender protections and scan for the Qihoo 360 antivirus suite before dropping the final payload.
Despite containing checks for Chinese language settings, the malware continues execution regardless, suggesting an unfinished feature in development for future updates. Persistence is maintained via scheduled tasks designed to execute weeks after initial infection.