Cybersecurity researchers have uncovered a sophisticated malware campaign involving fake software installers that deliver the Winos 4.0 framework, targeting Chinese-speaking environments. The attack employs advanced techniques like memory-resident loaders and signed decoy installers to evade detection and maintain persistence. #Winos4.0 #VoidArachne
Keypoints
- The campaign uses trojanized installers masquerading as popular tools like LetsVPN and QQ Browser to deliver malware.
- It employs a multi-stage loader called Catena that executes payloads entirely in memory to avoid antivirus detection.
- The malware, Winos 4.0, is based on Gh0st RAT and supports remote access, data harvesting, and DDoS attacks.
- The attack chain includes signed decoy apps, shellcode in configuration files, and reflective DLL injection for persistence.
- Indicators of compromise suggest links to the Silver Fox threat group and activities focused on Chinese-speaking targets.
Read More: https://thehackernews.com/2025/05/hackers-use-fake-vpn-and-browser-nsis.html