Cybersecurity researchers have revealed a malicious company that uses fake software settings that are masked as popular tools such as LTSVPN and QQ browser Winos 4.0 Frame.
The company, first discovered by Rapid7 in February 2025, provides the use of a multi -stage loader, called Catena.
“Catena uses the built -in Swellcode switch logic and configuration for useful loads such as Winos 4.0, fully in memory, eliminating – Note. “After the installation, it calmly connects to the controlled servers-in the mainly placed in Hong Kong-to obtain the following instructions or additional malware.”
The attacks, like those that unfolded Winos 4.0 in the past, seem to focus on Chinese conditions, and cybersecurity campaign has called on “careful and long -term planning” a very capable actor of the threat.
Winos 4.0 (he is valleyrat) was First publicly documented According to Trend Micro 2024, used in the attacks on Chinese users, using malicious Windows Installer (MSI) files for VPN applications. Activities were associated with the cluster threats, which it monitors as a void of Arachne, also called a silver fox.
The following companies that distribute malicious software debt Game applications such as installation tools, speed -ups and optimization utilities as bait to fool users in its installation. Another wave of attack minute In February 2025, the purposeful structures in Taiwan through phishing letters, which are allegedly acting from the National Taxation Bureau.
Built-in foundations of the famous Trojan remote access called GH0St Rat, Winos 4.0 is an improved malicious base written in C ++, which uses a plugin-based system for collecting data, providing remote access shells and launch distributed by the service (DDOS).
 |
| The flow of infection based on QQBROWSER is observed in February 2025. |
Rapid7 said all the artifacts indicated in February 2025 rested on NSIS installers, complete with signed examples for bait, Shellcode, built into the “.ini” files and reflexive injections dll to hidden maintaining perseverance on infected hosts and avoiding detection. The whole chain of infection was given to Moniker Catena.
“The company has still been active in 2025, showing a consistent chain of infection with some tactical adjustments – pointing to a capable and adaptive actor,” the researchers said.
The starting point is the trajonized Nsis Installer, which pretends to be installed for the QQ browser, a chromium-based web browser designed for a Winos 4.0 delivery using Catena. Malicious software communicates with tight team infrastructure and control (C2) over the TCP 18856 and HTTPS Port 443.
 |
| From the LTSOS 4.0 Montaist in April 2025 |
The persistence on the host is achieved at the registration of the planned tasks, which are performed a few weeks after the initial compromise. Although malicious software has a clear check to look for Chinese language settings in the system, it is still ongoing, even if this is not the case.
This shows that this is an unfinished feature and what is expected to be implemented in the following malware. Given this, Rapid7 stated that in April 2025 he determined a “tactical shift”, which not only switched some elements of the caten chain, but also included features to avoid detecting antivirus.
In the updated attack sequence, the NSIS installer masks itself as a Settings File for Letsvpn and manages the PowerShell command that adds Exceptions Microsoft Defender For all disks (C: \ to Z: \). It then provides additional useful loads, including the file, which takes a picture of the processes of running processes and verification of 360 total security processes, an antiviral product developed by the Chinese Qihoo 360 provider.
Binary signed with an urgent certificate issued by Verisign and allegedly belonging to Tencent Technology (Shenzhen). It was real from 2018-10-11 to 2020-02-02. The main responsibility of the executable file is the DLL file loading, which in turn connects to the server C2 (“134.122.204 (.) 11: 18852” or “103.185 (.) 443”) to download and execute Winos 4.0.
“This company shows a well-organized, regional purposeful malicious software using the NSIS trajonized installers to quietly abandon Winos 4.0,” the researchers said.
“It greatly relies on useful memory loads, DLL loading and bait software signed with legitimate certificates to avoid signaling. The infrastructure is overlapping and on the basis of the targeting tip on a communication with silver Fox APT, with the activity directed.”
