Winos 4.0 (aka ValleyRAT) was
first publicly documented by Trend Micro in June 2024 as used in attacks targeting Chinese-speaking users by means of malicious Windows Installer (MSI) files for VPN apps. The activity has been attributed to a threat cluster it tracks as Void Arachne, which is also referred to as Silver Fox.
Subsequent campaigns distributing the malware have
leveraged gaming-related applications like installation tools, speed boosters, and optimization utilities as lures to
trick users into installing it. Another attack wave
detailed in February 2025 targeted entities in Taiwan via phishing emails that purported to be from the National Taxation Bureau.
Rapid7 said all the artifacts flagged in February 2025 relied on NSIS installers bundled with signed decoy apps, shellcode embedded in ".ini" files, and reflective DLL injection to covertly maintain persistence on infected hosts and
avoid detection. The entire infection chain has been given the moniker Catena.
Persistence on the host is achieved by registering scheduled tasks that are executed weeks after the initial compromise. While the malware features an explicit check to look for Chinese language settings on the system, it still proceeds with the execution even if that's not the case.
In the revamped attack sequence, the NSIS installer disguises itself as a setup file for LetsVPN and runs a PowerShell command that adds
Microsoft Defender exclusions for all drives (C:\ to Z:\). It then drops additional payloads, including an executable that takes a snapshot of running processes and checks for processes related to 360 Total Security, an antivirus product developed by Chinese vendor Qihoo 360.
thehackernews.com
