A stealth malware campaign leveraging trojanized NSIS installers and advanced in-memory shellcode execution has been tracked by Rapid7 since February 2025. Known as “Winos 4.0,” the campaign uses the Catena loader to deploy remote access malware without leaving traces on disk making detection exceptionally difficult. With attackers adapting their tactics across multiple continents, experts warn of its implications, especially for cybersecurity defenders across the Middle East and Africa.
Anatomy of the Winos 4.0 Campaign
February 2025: First Detection by Rapid7
The campaign was first detected in February 2025 during a Managed Detection and Response (MDR) investigation. The malware masqueraded as a QQBrowser installer (QQBrowser_Setup_x64.exe), delivering payloads via a complex, memory-resident execution chain.
Key components of the QQBrowser variant included:
- Axialis.vbs and Axialis.ps1 (scripted loaders)
- Axialis.dll (malicious payload)
- Config.ini / Config2.ini (shellcode + payloads embedded in
.inifiles) - Execution triggered via VBS + PowerShell chain
- A mutex check via
CreateMutexAdetermined which.inifile to load
According to Rapid7, shellcode in Config.ini was compiled using the sRDI reflective DLL loader, available from GitHub. Payloads are executed entirely in memory, sidestepping traditional antivirus systems.
“This malware demonstrates a deep understanding of Windows internals and evasion tactics. Its reflective loading chain is robust and modular—clear signs of a sophisticated threat actor,” said Ivan Feigl, Senior Threat Analyst at Rapid7.
March-May 2025: Widespread Reuse and Variants Detected
Through threat hunting, Rapid7 linked multiple samples to the same threat actor:
- NSIS installers disguised as LetsVPN, Telegram, Chrome, and other tools
- Payloads embedded in
.inifiles across%APPDATA%and%LOCALAPPDATA% - Hardcoded C2 infrastructure using TCP 18856 and HTTPS 443
- Communication with servers mostly located in Hong Kong
April 2025 marked a tactical evolution:
- PowerShell scripts like
Axialis.ps1were dropped - Malware invoked via
regsvr32.exeto reduce footprint - Increased obfuscation and antivirus evasion
Middle East & Africa: Implications and Response
While current targeting appears focused on Chinese-language systems, the campaign’s stealth, modularity, and adaptability make it a global concern. Organizations across MEA particularly those reliant on Windows endpoints, VPN technologies, and digital government platforms must stay vigilant.
Cybersecurity awareness and training programs in the Middle East are evolving, but the reliance on localized software installers and the region’s burgeoning tech ecosystem may create risk gaps.
“This is exactly the type of cross-regional, low-noise campaign that bypasses traditional SOC detections. Emerging economies and tech hubs like Dubai, Nairobi, and Lagos must harden user endpoints and monitor installer traffic,” warned Sarah Al-Husseini, MEA Cyber Defense Consultant, during a recent CyberCory.com webinar on malware trends.
Technical Summary
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|---|
| Initial Access | T1566.001 – Spearphishing Attachment |
| Execution | T1059.001 – PowerShell |
| Persistence | T1053.005 – Scheduled Task/Job: Scheduled Task |
| Defense Evasion | T1218.010 – Regsvr32 |
| Command & Control | T1071.001 – Application Layer Protocol: Web |
| Payload Staging | T1620 – Reflective Code Loading |
Indicators of Compromise (IOCs)
File Hashes:
1E57AC6AD9A20CFAB1FE8EDD03107E7B63AB45CA555BA6CE68F143568884B003(LetsVPN Installer)
C2 Infrastructure:
156.251.17.243:1885227.124.40.155:18852
Artifacts:
Single.ini,intel.dll,Decision.vbs,Monitor.bat,updated.ps1,PolicyManagement.xml
Actionable Takeaways for Defenders
- Block legacy NSIS installers from untrusted sources via endpoint protection policies.
- Monitor for mutex artifacts like
VJANCAVESUor suspicious VBS/PS1 activity under%APPDATA%. - Harden scheduled tasks creation policies and audit for suspicious PowerShell execution.
- Implement Defender Attack Surface Reduction (ASR) rules for scripts and unsigned processes.
- Alert on regsvr32.exe executions that load unknown DLLs—especially from non-system folders.
- Educate staff via security awareness training on trojanized software threats.
- Deploy network segmentation to isolate infected systems quickly.
- Leverage memory analysis tools like Volatility or Rekall during IR investigations.
- Check for defender exclusion modifications—a known evasion technique in this campaign.
- Align controls with CyberCory‘s latest cybersecurity best practices and update regularly.
Conclusion: Stealth Today, Scale Tomorrow?
The Winos 4.0 campaign exemplifies modern malware trends: modular, memory-resident, and quietly evolving. While initial targeting may appear regionally limited, its stealthy execution chain, sRDI exploitation, and adaptability present global risks. Organizations especially in MEA must assume that in-memory, installer-based threats are not hypothetical but operational today.
With new samples continuing to surface as of 22 May 2025, Rapid7’s detection and ongoing tracking provide a crucial early-warning signal. Now is the time for CISOs and SOC teams to act not react.
