Rapid7 uncovered an ongoing malware campaign using trojanized NSIS installers disguised as popular apps to deploy the Winos v4.0 malware, which runs entirely in memory to evade detection. The modular infection chain, dubbed Catena, involves multi-stage payloads, reflective DLL injection, and sophisticated persistence mechanisms, with strong links to the Silver Fox APT targeting Chinese-speaking environments. #WinosV4 #CatenaLoader #SilverFoxAPT
Keypoints
- The campaign uses fake NSIS installers impersonating popular software like VPN clients and QQBrowser to distribute Winos v4.0, a stealthy, memory-resident malware stager.
- The infection chain, named Catena, employs embedded shellcode in
.inifiles and reflective DLL injection to load payloads entirely in memory, evading traditional antivirus detection. - The malware achieves persistence via scheduled tasks, PowerShell scripts, and watchdog batch files that monitor and relaunch malicious processes if terminated.
- A mutex-based payload selection mechanism dynamically chooses which encrypted shellcode from alternately named
.inifiles to load depending on runtime conditions, including presence of marker files. - Tactical evolution observed throughout 2025 includes removal of PowerShell stages and direct DLL execution via
regsvr32.exe, adapting to detection pressures. - The campaign’s infrastructure is mainly hosted in Hong Kong, using multiple coordinated IPs distributing identical payloads, indicating a well-resourced and persistent operator.
- Analyses and debug metadata point to the Silver Fox APT group, with targeting focused on Chinese-speaking or related regional environments based on language checks and artifact localization.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – Trojanized NSIS installers trick users into running the malware (“…detected a trojanized NSIS installer masquerading as QQBrowser…”).
- [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence via scheduled tasks executing PowerShell scripts and DLLs (“…scheduled task that re-executes the VBS loader Decision.vbs via wscript.exe…”).
- [T1562.001] Impair Defenses: Disable or Modify Tools – Modifies Defender exclusions to reduce detection (“…PowerShell command that adds Defender exclusions for all drives…”).
- [T1218.010] System Binary Proxy Execution: Regsvr32 – Uses
regsvr32.exeto execute loader DLLs reflectively in memory (“…DLLs were invoked directly using regsvr32.exe…”). - [T1218.011] System Binary Proxy Execution: Rundll32 – Utilized for loading malicious DLLs in some stages.
- [T1070.004] Indicator Removal: File Deletion – Deletes temporary or marker files like
Temp.apsto avoid detection (“…checks for the existence of Exit.aps, deletes it, and terminates…”). - [T1036.004] Masquerading: Masquerade Task or Service – Uses decoy signed executables and legitimate-looking installers (“…trojanized NSIS installers bundled with signed decoy apps…”).
- [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – Shellcode and payloads are encoded and embedded inside PLACEHOLDER32472298613820c3 files (“…shellcode embedded in PLACEHOLDERa4aada8c3aaee0cb files…”).
- [T1055.001] Process Injection: Dynamic-link Library Injection – Reflective DLL injection used to load payloads entirely in memory (“…reflective DLL loading technique…”).
- [T1071.001] Application Layer Protocol: Web Protocols – Communicates with C2 over TCP and HTTPS ports (“…malware communicates with hardcoded command-and-control infrastructure over TCP port 18856 and HTTPS port 443…”).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Uses PowerShell scripts for loading payloads and modifying Defender settings (“…PowerShell-based loader… adds Defender exclusions…”).
- [T1620] Reflective Code Loading – Shellcode uses reflective DLL injection to load modules in memory without touching disk (“…shellcode formatted using the Shellcode Reflective DLL Injection (sRDI) technique…”).
- [T1057] Process Discovery – Takes snapshots of running processes to monitor AV or messaging apps (“…snapshot of running processes checking for 360 Total Security and messaging apps…”).
- [T1083] File and Directory Discovery – Checks for files like PLACEHOLDER4159b17d56653d36 or PLACEHOLDERedd29c36ffbdd825 to control payload selection or termination (“…checks for file named Temp.aps in %APPDATA%…”).
- [T1105] Ingress Tool Transfer – Downloads follow-up payloads from C2 servers into memory (“…retrieves next-stage payload from the C2 server… copies the downloaded content into memory…”).
Indicators of Compromise
- [File Hashes] Malicious installer and payload files – Config2.ini (4CB2CAB237893D0D661E2378E7FE4E1BAFBFAEFD713091E26C96F7EC182B6CD0), Config.ini (E2490CFD25D8E66A7888F70B56FF8409494DE3B3D87BC5464D3ADABBA8B32177), insttect.exe (4FDEDADAA57412E242DC205FABDCA028F6402962D3A8AF427A01DD38B40D4512), intel.dll (B8E8A13859ED42E6E708346C555A094FDC3FBD69C3C1CB9EFB43C08C86FE32D0)
- [Network IPs] C2 servers – 156.251.17.243:18852, 134.122.204.11:18852, 103.46.185.44:443
- [File Names] Persistence and marker files – PolicyManagement.xml, updated.ps1 (Persistence scripts), monitor.bat (Watchdog script), Temp.aps (Marker file for payload switching)
- [Domains / Certificates] Signed decoy executables mimicking legitimate software certificates, e.g., Tencent PC Manager loader with expired VeriSign certificate dated 2010-2020
Read more: https://blog.rapid7.com/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign/