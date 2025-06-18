By AbdulWasay ⏐ 20 mins ago ⏐ Newspaper Icon Newspaper Icon 2 min read
New Winos 4 0 Malware Hits Windows Via Fake Installers

A sophisticated campaign using the Winos 4.0 malware is actively targeting Windows users in Taiwan and other Chinese-speaking environments. The attack begins with phishing emails masquerading as official communications, such as tax notifications or pension updates. The emails prompt recipients to download what appears to be legitimate software installers for apps like LetsVPN or QQBrowser. Instead, they carry a multi-stage memory-resident loader known as Catena, which delivers Winos 4.0 silently into memory.



Security firms such as Fortinet confirm this campaign began in early 2025. The malware establishes persistence, exploits system privileges, communicates with hidden command-and-control servers, and executes follow-up payloads for data theft and remote access.

Stealthy Execution and Persistence

Winos 4.0 uses a sophisticated infection chain. The delivery begins via NSIS installers that execute PowerShell commands to disable Windows Defender. The Catena loader is embedded in configuration files and shellcode, and uses reflective DLL injection to avoid disk footprint. Analysts at Rapid7 highlight Catena’s advanced use of modules including encrypted .ini loaders and decoy DLL files that decrypt in memory on-the-fly.

Persistence is achieved through registry alterations and scheduled tasks that trigger weeks after initial infection. The malware escalates privileges by enabling debug tokens, impersonating the logged-in user, and hijacking trusted system processes. It implants multiple DLL payloads to maintain network access, even after reboots.



Winos 4.0 Offers Full Remote-Control and Data Theft

Winos 4.0, also known as ValleyRAT, builds on the legacy of Gh0st RAT and targets Chinese-speaking users. It connects to attacker-controlled servers, mainly in Hong Kong, using encrypted channels. The framework allows remote shell access, keylogging, screenshot capture, cryptocurrency wallet theft (e.g. MetaMask), data exfiltration, and distributed DDoS attacks through its modular plugin system.

Security researchers attribute the campaign to the Void Arachne (a.k.a. Silver Fox) group. Their evolving tactics now include using expired digital certificates to sign decoy software and deploying advanced memory-resident loaders, showing a strategic shift toward long‑term espionage.

Winos 4.0 Defensive Guidance

Cybersecurity experts warn that the threat is serious and ongoing. Users receive the following advice:

  • Only install software from trusted sources and official websites

  • Regularly update Chrome, Windows, and antivirus definitions

  • Scan systems with advanced tools capable of detecting in-memory threats

  • Monitor for unusual registry or scheduled-task modifications

  • Educate users about phishing emails disguised as taxes or software updates.

cyber attacks, Windows, Winos 4.0
AbdulWasay

Sharing clear, practical insights on tech, lifestyle, and business. Always curious and eager to connect with readers.

Latest News

Google Accuses Ios 26 Of Borrowing Pixel Features Whos Right

Google Accuses iOS 26 of Borrowing Pixel Features. Who’s Right?

Millions Of Chrome Users Warned Time To Remove Bad Extensions

Millions of Chrome Users Warned: Time to Remove Bad Extensions

Chinese Ai Model Minimax M1 Is More Efficient Than Deepseek

Chinese AI Model MiniMax-M1 Is More Efficient Than Deepseek

Pakistan Based Allia Health Grabs 2m For Better Mental Healthcare

Pakistan-Based Allia Health Grabs $2M for Better Mental Healthcare

Ministry-of-Information-and-Technology

IT Ministry launches $78m Project To Enhance Digital Services

Pakistan Pushes For Cashless Economy Under Pm Sharifs Leadership

Pakistan Pushes for Cashless Economy: High Level Committee formed

Massive Discounts On Toyota Cars Beat The Budget Price Surge

Toyota Cars Now Cheaper – Huge Discounts Before Month-End

Pakistan Mulls Starlink Rollout While Neighboring Countries Adopt

Pakistan Stuck with Starlink Rollout while neighboring Countries Adopt

Govt To Block 5 Million Sims Linked To Expired Cnics

Govt to block 5 Million SIMs linked to expired CNICs

Google Gemini Freaks Out Playing Pokemon Caught Live

Google Gemini Freaks Out Playing Pokémon, Caught Live

Govt Cuts Solar Panel Tax To 10 Amid Imf Deal

Govt Cuts Solar Panel Tax to 10% Amid IMF Deal

Microsoft Unveils Next Gen Xbox Vision With Amd And Ai Push

Microsoft Unveils Next-Gen Xbox Vision With AMD and AI Push

Nsaves Impact On Global Users Financial Tools For Stability Growth And Control

nsave’s Impact on Global Users: Financial Tools for Stability, Growth, and Control