The VPN You Shouldn’t Have Downloaded

-

Source : The Hacker News

A sophisticated malware campaign has emerged, leveraging counterfeit VPN and browser installers to deploy Winos 4.0, a stealthy remote access trojan (RAT). Disguised as legitimate applications like LetsVPN and QQBrowser, these trojanized installers exploit the Nullsoft Scriptable Install System (NSIS) to execute a multi-stage, in-memory attack sequence. [2,4]

The infection chain initiates with the Catena loader, a memory-resident component that employs shellcode embedded in .ini files and reflective DLL injection to evade traditional antivirus detection. This loader orchestrates the deployment of Winos 4.0, a modular malware framework capable of data exfiltration, remote shell access, and distributed denial-of-service (DDoS) attacks. [2]

Notably, the malware exhibits region-specific targeting, primarily focusing on Chinese-speaking users. It checks for Chinese language settings on infected systems, although this filter is not strictly enforced, indicating potential expansion to broader targets. [3]

To maintain persistence, the malware registers scheduled tasks set to execute weeks after the initial compromise. Additionally, it modifies Microsoft Defender settings via PowerShell commands to exclude all drives from scanning, further concealing its presence. [2]

The campaign's infrastructure includes command-and-control servers primarily hosted in Hong Kong, utilizing TCP port 18856 and HTTPS port 443 for communication. The use of expired digital certificates, allegedly from reputable companies, adds a layer of legitimacy to the malicious installers, deceiving users into trusting the software. [2]

This operation has been attributed to the threat group known as Void Arachne, also referred to as Silver Fox, indicating a high level of organization and long-term planning. The campaign underscores the need for heightened vigilance when downloading software, even from seemingly trustworthy sources. [1]

References

[1] A. Širokova and I. Feigl, "NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign," Rapid7, May 22, 2025. [Online]. Available: https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign/

[2] R. Lakshmanan, "Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware," The Hacker News, May 25, 2025. [Online]. Available: https://thehackernews.com/2025/05/hackers-use-fake-vpn-and-browser-nsis.html

[3] A. Mishra, "Winos 4.0 Malware Masquerades as VPN and QQBrowser to Target Users," GBHackers, May 23, 2025. [Online]. Available: https://gbhackers.com/winos-4-0-malware-masquerades-as-vpn-and-qqbrowser/

[4] I. Tasdelen, "Hackers Are Sneaking Winos 4.0 Malware Through Fake VPN and Browser Installers," Medium, May 26, 2025. [Online]. Available: https://medium.com/@ismailtasdelen/hackers-are-sneaking-winos-4-0-malware-through-fake-vpn-and-browser-installers-e83584ef5ea3

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more