Exploitation of Deceptive VPN and Browser NSIS Installers for the Deployment of Winos 4.0 Malware by Cyber Adversaries

Cybersecurity experts have uncovered a sophisticated malware campaign utilizing deceptive software installers that impersonate widely used applications such as LetsVPN and QQ Browser to execute the Winos 4.0 framework.

Initially identified by Rapid7 in February 2025, this campaign employs a multi-stage, memory-resident loader named Catena. The loader features embedded shellcode and configuration-switching logic, allowing it to stage malware like Winos 4.0 entirely in memory, effectively bypassing traditional antivirus detection mechanisms. Once installed, Catena connects to command-and-control servers controlled by the attackers, primarily hosted in Hong Kong, to receive further instructions or additional malware.

Targeting primarily Chinese-speaking environments, this series of attacks indicates meticulous long-term planning by a capable adversary. Winos 4.0, also referred to as ValleyRAT, was first documented by Trend Micro in June 2024, specifically in attacks aimed at Chinese users through harmful Windows Installer (MSI) files masquerading as VPN applications. The activities associated with this malware have been attributed to a threat group denoted as Void Arachne, occasionally called Silver Fox.

Subsequent iterations of this cyber campaign have leveraged gaming-related applications—such as installation tools, speed boosters, and optimization utilities—as enticements for users to inadvertently install the malware. Notably, a February 2025 attack wave targeted potential victims in Taiwan using phishing emails disguised as communications from the National Taxation Bureau.

Winos 4.0 is an advanced remote access trojan developed in C++ featuring a plugin-based architecture designed to gather sensitive data, execute remote shell commands, and facilitate distributed denial-of-service (DDoS) attacks.

Ran on NSIS installers that are bundled with signed decoy applications, the entire infection process dubbed Catena employs shellcode embedded in “.ini” files and utilizes reflective DLL injection to maintain persistence on affected systems while evading detection. The campaign has exhibited consistent activity throughout 2025, adapting and evolving its tactics, suggesting a highly skilled threat actor behind the operations.

The initial phase of the attack utilizes a malicious NSIS installer that poses as an installer for QQ Browser, a web browser developed by Tencent. This installer serves as the vehicle for delivering Winos 4.0 via Catena, with communication to hardcoded command-and-control infrastructure occurring over TCP port 18856 and HTTPS port 443.

Persistence is established on compromised machines through the registration of scheduled tasks intended to execute weeks after the initial compromise. Interestingly, the malware contains checks for Chinese language settings on the system but continues its operation regardless of the language settings identified, hinting at possibly unfinished features to be refined in future versions.

In April 2025, a tactical shift in the malware’s execution chain was detected, introducing additional evasion strategies against antivirus software. In this revised attack sequence, the NSIS installer masquerades as a setup file for LetsVPN and executes a PowerShell command to create exclusions for Microsoft Defender across all drives. Subsequent payloads, including an executable that surveys active processes for antivirus applications such as 360 Total Security from Qihoo 360, are then downloaded.

The executable is signed with an expired VeriSign certificate linked to Tencent Technology, which was valid from October 2018 to February 2020. Its main function is to utilize reflective loading of a DLL file that connects to a designated command-and-control server to download and execute Winos 4.0.

This campaign represents a meticulously organized malware operation that employs trojanized NSIS installers to discreetly deploy the Winos 4.0 staging mechanism. It relies heavily on memory-resident payloads, reflective DLL loading techniques, and legitimate-looking software signed with authentic certificates, designed to minimize alert triggers. The overlap in infrastructure and language-targeting strategies suggest correlations to the Silver Fox APT, indicating an ongoing effort concentrated on Chinese-speaking targets.