Researchers revealed a malware campaign that uses fake software installers, like LetsVPN and QQ Browser, to deliver the Winos 4.0 framework. Detected by Rapid7 in February 2025, this multi-stage attack employs Catena, a memory-resident loader that evades antivirus detection. Targeting primarily Chinese-speaking environments, the campaign demonstrates strategic planning by a sophisticated threat actor. Notably, Winos 4.0, linked to previous attacks utilizing malicious MSI files, serves as a remote access trojan with diverse functionalities, including DDoS capabilities. Secondary campaigns leveraged gaming software and phishing to broaden the attack spectrum.
"Catena uses embedded shellcode and configuration switching logic to stage payloads like Winos 4.0 entirely in memory, evading traditional antivirus tools."
"The attacks appear to focus specifically on Chinese-speaking environments, with the cybersecurity company calling out the 'careful, long-term planning' by a very capable threat actor."
Collection
[
|
...
]