 |
| Source : The Hacker News |
A sophisticated malware campaign has emerged, leveraging counterfeit VPN and browser installers to deploy Winos 4.0, a stealthy remote access trojan (RAT). Disguised as legitimate applications like LetsVPN and QQBrowser, these trojanized installers exploit the Nullsoft Scriptable Install System (NSIS) to execute a multi-stage, in-memory attack sequence. [2,4]
The infection chain initiates with the Catena loader, a memory-resident component that employs shellcode embedded in .ini files and reflective DLL injection to evade traditional antivirus detection. This loader orchestrates the deployment of Winos 4.0, a modular malware framework capable of data exfiltration, remote shell access, and distributed denial-of-service (DDoS) attacks. [2]
Notably, the malware exhibits region-specific targeting, primarily focusing on Chinese-speaking users. It checks for Chinese language settings on infected systems, although this filter is not strictly enforced, indicating potential expansion to broader targets. [3]
To maintain persistence, the malware registers scheduled tasks set to execute weeks after the initial compromise. Additionally, it modifies Microsoft Defender settings via PowerShell commands to exclude all drives from scanning, further concealing its presence. [2]
The campaign’s infrastructure includes command-and-control servers primarily hosted in Hong Kong, utilizing TCP port 18856 and HTTPS port 443 for communication. The use of expired digital certificates, allegedly from reputable companies, adds a layer of legitimacy to the malicious installers, deceiving users into trusting the software. [2]
This operation has been attributed to the threat group known as Void Arachne, also referred to as Silver Fox, indicating a high level of organization and long-term planning. The campaign underscores the need for heightened vigilance when downloading software, even from seemingly trustworthy sources. [1]
References
[1] A. Širokova and I. Feigl, “NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign,” Rapid7, May 22, 2025. [Online]. Available: https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign/
[2] R. Lakshmanan, “Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware,” The Hacker News, May 25, 2025. [Online]. Available: https://thehackernews.com/2025/05/hackers-use-fake-vpn-and-browser-nsis.html
[3] A. Mishra, “Winos 4.0 Malware Masquerades as VPN and QQBrowser to Target Users,” GBHackers, May 23, 2025. [Online]. Available: https://gbhackers.com/winos-4-0-malware-masquerades-as-vpn-and-qqbrowser/
[4] I. Tasdelen, “Hackers Are Sneaking Winos 4.0 Malware Through Fake VPN and Browser Installers,” Medium, May 26, 2025. [Online]. Available: https://medium.com/@ismailtasdelen/hackers-are-sneaking-winos-4-0-malware-through-fake-vpn-and-browser-installers-e83584ef5ea3