By rssfeeds-admin 
Security researchers at Rapid7, who have closely tracked this threat since February 2025, have detailed the evolving attack vector, which leverages multi-stage reflective loaders and in-memory payload delivery to bypass standard endpoint defenses.
Multi-Stage Catena Loader
The incident first surfaced when malicious activity was traced to a fake QQBrowser installer (QQBrowser_Setup_x64.exe).
Behind its legitimate facade, the loader sequence dubbed the Catena loader unpacked embedded shellcode from binary configuration files (Config.ini, Config2.ini), activating a sophisticated reflective DLL injection routine.
This stager, architected to run solely in memory, eludes disk-based antivirus detection and establishes persistence with scheduled tasks and process watchdog scripts.
A typical attack chain features decoy software (e.g., QQBrowser, LetsVPN) and drops support files, including VBScript, PowerShell, and DLLs, into user directories.
Execution logic determines which configuration file and thus which shellcode and payload DLL is loaded, based on mutex and marker file presence.
The approach allows payload switching without requiring update binaries, heightening stealth and adaptability.
Network communications are managed through hardcoded command-and-control (C2) endpoints, predominantly over custom TCP ports (e.g., 18852) and HTTPS (443), with infrastructure observed clustering in Hong Kong and operated by vetted cloud providers.
Post-discovery, the threat actors diversified delivery by rebranding their NSIS installers as other trusted applications including LetsVPN and Telegram while adjusting loader components to evade EDR scrutiny.
The attackers replaced PowerShell-based loading in later variants with direct DLL invocation via regsvr32.exe.
Each stage strategically manipulates Windows features: the loader scripts add Microsoft Defender exclusions for multiple drives and employ dynamic Windows API resolution through obfuscated function hashes.
Persistence mechanisms rely on both scheduled task creation and continual process monitoring.
The malware also probes for processes related to security software (Qihoo 360, Telegram, WhatsApp), dynamically altering next-stage payloads and track execution context via mutexes and marker files.
Notably, the code checks for Chinese locale settings, underlining a regional targeting bias, even though execution proceeds regardless of language.
In-Memory Deployment
The final payload, Winos v4.0, is delivered entirely in memory by the staged loaders as an sRDI-encoded DLL, exporting a single function (VFPower).
Debug metadata and hardcoded paths reveal Chinese-language origins. Extracted configuration data details multiple C2 addresses, communication protocols, beacon intervals, grouping, and execution flags.
Indicators from network forensics align the infrastructure with previous Silver Fox APT campaigns, including those that delivered ValleyRAT and similar stagers.
According to the Report, The use of identical payload hashes across several IPs in the ASNs of major Hong Kong and regional providers evidences a coordinated and scalable backend, designed for rapid redeployment under detection pressure.
Winos v4.0’s modular pipeline the use of reflective in-memory loading, exploitation of legitimate signed decoys, and adaptable persistence logic reflects a highly capable, operationally mature threat group.
Infrastructure and technical overlaps point strongly to links with Silver Fox APT, particularly as regionally focused campaigns have previously targeted Chinese-speaking users and leveraged similar deception techniques.
Rapid7 and other security vendors have released countermeasures and continue to track campaign evolution.
Indicators of Compromise (IOC)
| Type | Indicator | Description/Hash (SHA-256) |
|---|---|---|
| File | Config2.ini | 4CB2CAB237893D0D661E2378E7FE4E1BAFBFAEFD713091E26C96F7EC182B6CD0 |
| File | Config.ini | E2490CFD25D8E66A7888F70B56FF8409494DE3B3D87BC5464D3ADABBA8B32177 |
| File | insttect.exe | 4FDEDADAA57412E242DC205FABDCA028F6402962D3A8AF427A01DD38B40D4512 |
| File | intel.dll | B8E8A13859ED42E6E708346C555A094FDC3FBD69C3C1CB9EFB43C08C86FE32D0 |
| File | Single.ini | B22599DD0A1C44CA1B35DF16006F3085BDDAE3EBBA6A3649EC6E4DC4CBF74865 |
| File | Iatsvpn-Latest.exe | E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 |
| File | monitor.bat | 5767D408EC37B45C7714D70AE476CB34905AD6B59830572698875FC33C3BAF2F |
| Network | 134.122.204.11:18852 | C2 Server (primary, stage 2) |
| Network | 103.46.185.44:443 | C2 Server (alternate, stage 2) |
| Network | 156.251.17.243:18852 | C2 Server (historic MDR sample) |
| Network | Additional related: 112.213.101[.]161, etc. | Related C2 infrastructure |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Winos 4.0 Threat Actors Disguise Malware as VPN and QQBrowser appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.