The Winos 4.0 malware campaign continues to grow more dangerous in 2025. Attackers now use fake software installers to quietly deliver powerful backdoors across Chinese-speaking environments. Researchers at Rapid7 first observed the campaign in February, when they discovered a memory-resident loader called Catena that stages Winos 4.0 directly in RAM.
According to analysts Anna Širokova and Ivan Feigl, Catena embeds shellcode and configuration-switching logic. These features help it stay invisible to most antivirus tools. Once deployed, the malware contacts remote servers—mostly located in Hong Kong—to fetch further instructions or load new malware components.
This year’s tactics mirror older Winos operations, yet with new improvements. Previous campaigns relied on malicious VPN and gaming software to spread. In contrast, this version impersonates trusted tools like QQ Browser and LetsVPN. Although the malware includes a language check for Chinese systems, it still runs even if it detects a different language. This suggests the feature is incomplete and likely reserved for future updates.
Security firm Trend Micro first documented Winos 4.0, also called ValleyRAT, in 2024. Built in C++, the malware evolved from the Gh0st RAT and includes plugins for spying, remote shell access, and launching DDoS attacks. Experts link the threat to a known group called Void Arachne, also referred to as Silver Fox APT.
Since its discovery, the Winos 4.0 malware campaign has used multiple lures, including fake game boosters and system optimizers. Earlier in 2025, phishing emails in Taiwan pretended to come from the National Taxation Bureau. These attacks follow a consistent pattern: trick users into downloading trojanized software and maintain stealthy access to infected systems.
Rapid7’s findings show how the malware chain works. Attackers bundle NSIS installers with signed decoy apps and insert shellcode into configuration files. They also use reflective DLL injection to avoid detection and remain memory-resident. The process begins when a tampered installer runs and stages the Catena loader.
In April 2025, researchers noted a key shift. A new NSIS installer, disguised as a LetsVPN setup file, ran PowerShell commands that excluded all drives (C:\ to Z:) from Microsoft Defender scans. Then it dropped extra files, including one executable that scanned for known antivirus processes, like those from 360 Total Security.
The executable came signed with an expired VeriSign certificate that appeared to belong to Tencent Technology (Shenzhen). Although outdated, the certificate helped the malware look authentic. This executable reflectively loaded a DLL, which then contacted two known command-and-control servers over TCP port 18852 and HTTPS port 443.
The malware maintains persistence by creating scheduled tasks. These tasks often trigger weeks after infection, reducing the chances of early detection. Unlike malware that activates immediately, this delayed behavior signals a strategic, long-term intrusion.
Even more troubling, attackers are adapting fast. The malware shows signs of deliberate planning, including code to avoid antivirus scans and the use of expired but legitimate certificates. These updates confirm that a skilled threat group is behind the campaign.
Researchers urge organizations to remain vigilant. They should verify software sources, monitor for new scheduled tasks, and inspect memory for signs of reflective DLLs. Tools that rely only on disk-based scanning may miss these advanced threats.
The Winos 4.0 malware campaign proves that advanced attackers are refining their tactics. By relying on stealthy loaders like Catena, fake software installers, and memory-resident payloads, they bypass standard defenses and establish long-term access.
READ: Hackers Exploit Craft CMS Flaws to Breach Servers Globally
