A new malware campaign has emerged, utilizing fake software installers disguised as popular applications like LetsVPN and QQBrowser to deliver the Winos 4.0 malware. This sophisticated operation, first detected in early 2025, poses a significant threat to users, particularly in Chinese-speaking regions.

Key Takeaways

• Malware Type: Winos 4.0, a memory-resident malware framework.

• Delivery Method: Trojanized NSIS installers masquerading as legitimate software.

• Target Audience: Primarily Chinese-speaking users.

• Detection Evasion: Operates entirely in memory, bypassing traditional antivirus tools.

• Infrastructure: Command-and-control servers primarily located in Hong Kong.

Overview Of The Malware Campaign

The Winos 4.0 malware campaign has been characterized by its use of a multi-layered infection chain known as the Catena loader. This loader employs advanced techniques to deliver malicious payloads without leaving traditional file-based footprints, making it particularly challenging for security systems to detect.

The campaign was first identified by Rapid7 during a Managed Detection and Response (MDR) investigation in February 2025. Researchers noted that the malware is designed to establish persistent remote access capabilities while maintaining a low profile across infected systems.

Infection Mechanism

The infection process begins with users downloading what they believe to be legitimate software installers. These installers are often bundled with valid digital certificates and functional decoy applications to enhance their credibility. The following steps outline the infection mechanism:

1. Trojanized Installers: Users download installers disguised as popular applications like LetsVPN or QQBrowser.

2. Execution of Malicious Code: Upon execution, the installer runs PowerShell commands to disable Microsoft Defender, effectively neutralizing endpoint protection.

3. Payload Deployment: The installer stages malicious components in various directories, utilizing reflective DLL injection techniques to execute code entirely in memory.

4. Communication with C2 Servers: The malware connects to attacker-controlled servers over specific ports to fetch additional payloads and maintain persistence.

Technical Sophistication

The Winos 4.0 malware demonstrates a high level of technical sophistication, employing several advanced techniques:

• Memory-Resident Payloads: The malware operates entirely in memory, which helps it evade detection by traditional antivirus solutions.

• Reflective DLL Injection: This technique allows the malware to load malicious code without writing files to disk, further minimizing its footprint.

• Mutex-Based Logic: The malware uses mutexes to determine which payloads to deploy based on runtime conditions, showcasing its adaptability.

Targeting and Regional Focus

The campaign appears to be strategically focused on Chinese-speaking environments, as indicated by embedded language checks and the location of its command-and-control infrastructure. This targeted approach suggests that the threat actors are likely part of a well-organized group with substantial resources and technical expertise.

The emergence of the Winos 4.0 malware campaign highlights the evolving landscape of cyber threats, particularly the use of deceptive tactics to compromise user systems. As this campaign continues to evolve, it underscores the importance of vigilance and robust cybersecurity measures to protect against such sophisticated attacks. Users are advised to be cautious when downloading software and to ensure they are obtaining applications from trusted sources.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware, The Hacker News.

• Threat Actors Deliver Winos 4.0 Impersonate as VPN & QQBrowser, CybersecurityNews.

• Winos 4.0 Malware Masquerades as VPN and QQBrowser to Target Users, GBHackers News.