Winos 4.0 Malware Masquerades as VPN and QQBrowser to Target Users

A sophisticated malware campaign deploying Winos 4.0, a memory-resident stager, has been uncovered by Rapid7, targeting users through fake installers of popular software like LetsVPN and QQBrowser.

Initially detected during a February 2025 Managed Detection and Response (MDR) investigation, this operation employs a multi-layered infection chain dubbed the Catena loader.

It uses trojanized NSIS installers to deliver payloads entirely in memory, evading traditional antivirus tools.

Campaign Leverages Trojanized Installers

The campaign, showing activity throughout 2025, predominantly focuses on Chinese-speaking environments, with infrastructure primarily hosted in Hong Kong, and demonstrates a high level of planning by a capable threat group, potentially linked to the Silver Fox APT.

The Catena loader’s infection process begins with seemingly legitimate NSIS installers that drop deceptive, signed executables alongside malicious components like shellcode-embedded INI files and reflective DLLs.

In the February MDR case involving a QQBrowser installer, Rapid7 observed the creation of an Axialis directory in %APPDATA%, housing scripts and DLLs that used mutex-based logic to switch payloads between Config.ini and Config2.ini, all executed via reflective DLL injection.

By April 2025, tactics evolved in samples like the LetsVPN installer, where PowerShell scripts were replaced with direct DLL invocation via regsvr32.exe, showcasing adaptability to detection pressures.

In-Memory Execution

Once executed, Winos 4.0 connects to attacker-controlled servers over TCP port 18852 or HTTPS port 443 to fetch additional payloads, ensuring persistence through scheduled tasks and watchdog scripts like monitor.bat, which relaunches malware if terminated.

The malware also checks for Chinese language settings, though this filter isn’t strictly enforced, hinting at regional targeting intent.

This campaign’s technical sophistication lies in its use of sRDI (Shellcode Reflective DLL Injection) for in-memory execution, minimizing disk footprints and bypassing endpoint defenses.

Hardcoded mutexes like “VJANCAVESU” and “zhuxianlu” control payload selection, while threads manage tasks such as disabling Microsoft Defender via PowerShell exclusions and scanning for processes like Telegram.exe to alter behavior.

Infrastructure analysis revealed consistent C2 servers, including 134.122.204.11:18852 and 103.46.185.44:443, distributing identical Winos 4.0 stagers, corroborated by Shodan scans showing shared payloads across multiple IPs.

Debug metadata from payloads, referencing Chinese development paths, further supports the regional focus.

Rapid7 continues to monitor variants, deploying detections to counter this evolving threat, which demonstrates a refined playbook leveraging legitimate software facades and memory-based techniques to maintain stealth and persistence.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!