Hackers Lure With Fake VPNs to Spread Winos Malware

Hackers are leveraging counterfeit software installers disguised as popular applications, including LetsVPN and QQ Browser, to distribute the Winos 4.0 malware framework, cybersecurity researchers revealed. The campaign, uncovered by Rapid7 in February 2025, employs a sophisticated multi-stage loader known as Catena to execute the attack.

Catena functions as a memory-resident loader, embedding shellcode and configuration-switching logic to facilitate staged payload delivery. The use of Nullsoft Scriptable Install System (NSIS)-based installers allows threat actors to mimic legitimate software distribution methods, increasing the likelihood of successful infections.

The malware campaign highlights an ongoing trend where cybercriminals exploit trusted application names to bypass user defenses and deliver advanced threats. The Winos 4.0 framework, known for its stealth and modularity, is designed to persist in memory, complicating detection and forensic analysis.

Researchers warn users to verify software sources and remain cautious when downloading installers, particularly those associated with widely-used VPN and browser platforms.