{"id":214819,"date":"2025-05-27T01:10:44","date_gmt":"2025-05-27T06:10:44","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/05\/hackers-use-fake-vpn-and-browser-nsis-installers-to-deliver-winos-4-0-malware"},"modified":"2025-05-27T01:10:44","modified_gmt":"2025-05-27T06:10:44","slug":"hackers-use-fake-vpn-and-browser-nsis-installers-to-deliver-winos-4-0-malware","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/05\/hackers-use-fake-vpn-and-browser-nsis-installers-to-deliver-winos-4-0-malware","title":{"rendered":"Hackers Use Fake VPN and Browser NSIS Installers to Deliver Winos 4.0 Malware"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/hackers-use-fake-vpn-and-browser-nsis-installers-to-deliver-winos-4-0-malware2.jpg\"><\/a><\/p>\n<p>Cybersecurity researchers have disclosed a malware campaign that uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the <strong>Winos 4.0<\/strong> framework.<\/p>\n<p>The campaign, first detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident loader called Catena.<\/p>\n<p>\u201cCatena uses embedded shellcode and configuration switching logic to stage payloads like Winos 4.0 entirely in memory, evading traditional antivirus tools,\u201d security researchers Anna \u0160irokova and Ivan Feigl <a href=\"https:\/\/www.rapid7.com\/blog\/post\/2025\/05\/22\/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u201cOnce installed, it quietly connects to attacker-controlled servers \u2013 mostly hosted in Hong Kong \u2013 to receive follow-up instructions or additional malware.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have disclosed a malware campaign that uses fake software installers masquerading as popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. The campaign, first detected by Rapid7 in February 2025, involves the use of a multi-stage, memory-resident loader called Catena. \u201cCatena uses embedded shellcode and configuration switching logic to [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-214819","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/214819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=214819"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/214819\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=214819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=214819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=214819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}