Full Report
Cybersecurity researchers have disclosed a malware campaign that uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. The campaign, first detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident loader called Catena. "Catena uses embedded shellcode and configuration switching logic to stage
Analysis Summary
# Tool/Technique: Winos 4.0 Framework
## Overview
Winos 4.0 (also known as ValleyRAT) is an advanced, plugin-based remote access trojan (RAT) framework primarily used by threat actors targeting Chinese-speaking environments. It provides comprehensive remote control capabilities, data exfiltration, and denial-of-service functionality.
## Technical Details
- Type: Malware family (Remote Access Trojan Framework)
- Platform: Windows
- Capabilities: Data harvesting, remote shell access, DDoS attack launching, plugin-based modularity. Built atop the foundations of Gh0st RAT.
- First Seen: Publicly documented in June 2024, but campaign activity observed throughout 2025.
## MITRE ATT&CK Mapping
*Note: Specific mappings are generalized based on known capabilities of advanced RATs like Winos 4.0.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0009 - Collection**
- T1005 - Data from Local System
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter (via PowerShell usage in stager)
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job
## Functionality
### Core Capabilities
- Harvesting data from infected systems.
- Providing a remote shell interface to the operator.
- Launching Distributed Denial-of-Service (DDoS) attacks.
### Advanced Features
- Plugin-based architecture allows for flexible, modular expansion of capabilities.
- Heavily leverages memory-resident techniques (via Catena loader/stager) to avoid traditional file-based scanning.
- Uses reflective DLL loading to execute components entirely in memory.
- Employs signed decoy software/executables (using an expired VeriSign certificate allegedly linked to Tencent Technology) to maintain credibility.
## Indicators of Compromise
- File Hashes: [None provided in the text]
- File Names: [Varies based on lure (e.g., LetsVPN installer, QQ Browser installer)]
- Registry Keys: [Not explicitly mentioned, persistence via Scheduled Tasks]
- Network Indicators:
- C2 Port 18856 (TCP)
- C2 Port 443 (HTTPS)
- Specific IP/Port Combinations observed: `134.122.204[.]11:18852`, `103.46.185[.]44:443`
- Behavioral Indicators:
- Use of NSIS installers for initial delivery.
- Shellcode embedded in ".ini" files for payload staging.
- PowerShell command execution to add exclusions to Microsoft Defender across drives (C:\ to Z:\).
- Checking for and targeting processes related to 360 Total Security antivirus.
- Persistence achieved by registering scheduled tasks set to execute weeks post-compromise.
## Associated Threat Actors
- Void Arachne (also tracked as Silver Fox APT)
## Detection Methods
- Signature-based detection: Expected to evolve rapidly given the use of memory-resident payloads.
- Behavioral detection: Focus on the sequence involving NSIS abuse, dropping shellcode in configuration files, and subsequent reflective DLL loading.
- YARA rules: Potential rules targeting the embedded shellcode or the structure of the Catena loader.
- Specific Detection Focus: Monitoring for the creation of legitimate-looking scheduled tasks set for delayed execution, and modifications/exclusions made to Microsoft Defender settings.
## Mitigation Strategies
- Prevention measures: Strict application control to prevent execution from untrusted installers (e.g., NSIS packages).
- Hardening recommendations: Regular patching and configuration management to prevent the exploitation of legitimate tools like NSIS installers. Strict policy review regarding Defender exclusions, especially those generated via PowerShell.
- Endpoint defense should prioritize memory artifacts and process injection techniques over purely file-based scanning.
## Related Tools/Techniques
- Catena: The multi-stage, memory-resident loader used to deliver Winos 4.0.
- Gh0st RAT: The foundational RAT upon which Winos 4.0 is built.
- NSIS Abuse: The technique used to distribute the initial stage of the infection chain.