A sophisticated campaign using the Winos 4.0 malware is actively targeting Windows users in Taiwan and other Chinese-speaking environments. The attack begins with phishing emails masquerading as official communications, such as tax notifications or pension updates. The emails prompt recipients to download what appears to be legitimate software installers for apps like LetsVPN or QQBrowser. Instead, they carry a multi-stage memory-resident loader known as Catena, which delivers Winos 4.0 silently into memory.
Security firms such as Fortinet confirm this campaign began in early 2025. The malware establishes persistence, exploits system privileges, communicates with hidden command-and-control servers, and executes follow-up payloads for data theft and remote access.
Stealthy Execution and Persistence
Winos 4.0 uses a sophisticated infection chain. The delivery begins via NSIS installers that execute PowerShell commands to disable Windows Defender. The Catena loader is embedded in configuration files and shellcode, and uses reflective DLL injection to avoid disk footprint. Analysts at Rapid7 highlight Catena’s advanced use of modules including encrypted .ini loaders and decoy DLL files that decrypt in memory on-the-fly.
Persistence is achieved through registry alterations and scheduled tasks that trigger weeks after initial infection. The malware escalates privileges by enabling debug tokens, impersonating the logged-in user, and hijacking trusted system processes. It implants multiple DLL payloads to maintain network access, even after reboots.
Winos 4.0 Offers Full Remote-Control and Data Theft
Winos 4.0, also known as ValleyRAT, builds on the legacy of Gh0st RAT and targets Chinese-speaking users. It connects to attacker-controlled servers, mainly in Hong Kong, using encrypted channels. The framework allows remote shell access, keylogging, screenshot capture, cryptocurrency wallet theft (e.g. MetaMask), data exfiltration, and distributed DDoS attacks through its modular plugin system.
Security researchers attribute the campaign to the Void Arachne (a.k.a. Silver Fox) group. Their evolving tactics now include using expired digital certificates to sign decoy software and deploying advanced memory-resident loaders, showing a strategic shift toward long‑term espionage.
Winos 4.0 Defensive Guidance
Cybersecurity experts warn that the threat is serious and ongoing. Users receive the following advice:
-
Only install software from trusted sources and official websites
-
Regularly update Chrome, Windows, and antivirus definitions
-
Scan systems with advanced tools capable of detecting in-memory threats
-
Monitor for unusual registry or scheduled-task modifications
-
Educate users about phishing emails disguised as taxes or software updates.
