A sophisticated malware campaign leveraging fake software installers disguised as popular applications has emerged as a significant threat to cybersecurity infrastructure, with attackers deploying the hard-to-detect Winos 4.0 malware through deceptive VPN and QQBrowser installations.
The campaign represents a concerning evolution in memory-resident attack techniques, utilizing multi-layered infection chains that entirely bypass traditional antivirus detection mechanisms by operating exclusively within system memory.
The malicious operation, which surfaced during heightened cybersecurity monitoring in early 2025, employs what security researchers have termed “Catena loader” – a modular, chain-like infection structure that uses embedded shellcode and sophisticated configuration switching logic to stage payloads without leaving traditional file-based footprints.
.png
)
This approach allows the malware to establish persistent remote access capabilities while maintaining an extremely low detection profile across infected systems.
Rapid7 analysts first identified the campaign during a February 2025 Managed Detection and Response investigation, where suspicious activity involving a trojanized NSIS installer masquerading as QQBrowser setup was detected on customer infrastructure.
.webp)
Since this initial discovery, researchers have observed consistent evolution in the campaign’s tactics, with threat actors demonstrating remarkable adaptability by modifying delivery mechanisms while maintaining core operational infrastructure and execution methodologies.
The campaign appears strategically focused on Chinese-speaking environments, with embedded language checks and infrastructure predominantly hosted in Hong Kong suggesting targeted regional operations.
While widespread targeting has not been observed, the sophisticated nature of the attack chain and evidence of long-term planning indicates involvement by a capable threat group with substantial resources and technical expertise.
Infection Mechanism: The Catena Loader Chain
The Catena loader represents a masterfully engineered infection mechanism that demonstrates advanced understanding of system-level exploitation and evasion techniques.
The attack begins with trojanized NSIS installers that masquerade as legitimate applications such as LetsVPN, Telegram, or Chrome installers, each containing valid digital certificates and functional decoy applications to maintain convincing legitimacy.
.webp)
Upon execution, the malicious installer deploys a carefully orchestrated multi-stage process.
The NSIS script initially executes PowerShell commands to add Microsoft Defender exclusions across all system drives (C: through Z:$$, effectively neutering endpoint protection before proceeding with payload deployment.
The installer then stages components across multiple directories, placing first-stage loaders and shellcode blobs in %LOCALAPPDATA% while positioning second-stage payloads in %APPDATA%TrustAsia.
The infection chain’s sophistication becomes apparent in its use of reflective DLL injection techniques, specifically leveraging the open-source Shellcode Reflective DLL Injection (sRDI) framework to load malicious code entirely within memory.
Configuration files named Config.ini and Config2.ini, despite their benign appearance, contain binary blobs embedding sRDI shellcode and complete DLL payloads that execute without traditional file extraction.
Central to the loader’s operation is a mutex-based decision system that determines payload selection based on runtime conditions.
The malware creates hardcoded mutexes such as VJANCAVESU and checks for marker files like Temp.aps to determine whether to load Config.ini or Config2.ini.
This sophisticated switching mechanism enables the campaign to deploy different payloads based on infection state and system conditions, ultimately delivering the Winos 4.0 stager from command-and-control servers primarily hosted at 134.122.204[.]11:18852 and 103.46.185[.]44:443.
The final payload establishes persistent communication channels while implementing multiple redundancy mechanisms, including scheduled task registration, process monitoring scripts, and watchdog functions that ensure continuous operation even after system restarts or security intervention attempts.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
