189/68 Monday, May 26, 2025
Cybersecurity researchers have uncovered a new malware campaign where hackers are distributing fake software installers disguised as popular tools such as LetsVPN and QQ Browser to deploy a malicious malware framework known as Winos 4.0. The campaign was first observed by Rapid7 in February 2025 and uses a multi-stage memory-resident loader named Catena, designed to evade traditional antivirus detection. Researchers Anna Širokova and Ivan Feigl noted that “Catena uses shellcode injection and logic obfuscation to deliver payloads like Winos 4.0 directly into system memory. Once installed, it connects to a command-and-control (C2) server—mostly hosted in Hong Kong—for further instructions or additional malware.”
Winos 4.0, also known as ValleyRAT, was publicly revealed by Trend Micro in June 2024. It has been linked to attacks targeting Chinese-speaking users, typically delivered via malicious Windows Installer (MSI) packages posing as VPN apps. The malware is believed to be associated with Void Arachne (aka Silver Fox), an advanced threat actor. Built in C++, Winos 4.0 is a powerful remote access trojan (RAT) framework evolved from Gh0st RAT. It features a plugin-based architecture that enables attackers to harvest sensitive data, execute remote shell commands, and even use compromised machines for Distributed Denial-of-Service (DDoS) attacks.
Earlier campaigns used malicious game-related applications or phishing emails spoofing the Taiwanese tax authority to lure victims. In early 2025, attackers modified their tactics by using fake NSIS installers that masqueraded as official LetsVPN installers. These installers executed PowerShell commands to whitelist directories from Microsoft Defender, then deployed additional malware components, such as process checkers and DLL loaders that connected to C2 servers to download Winos 4.0. These fake installers were signed with expired digital certificates under the name “Tencent” to bypass security detections.
The campaign is still ongoing in 2025, demonstrating the threat actor’s technical adaptability and their focus on Chinese-speaking regions as primary targets.
Source https://thehackernews.com/2025/05/hackers-use-fake-vpn-and-browser-nsis.html
