NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign
Essential information
- Published
- 27/05/2025 23:59
- Modified
- 28/05/2025 13:16
- Tags
- 2025-05-27 catena loader chinese-speaking targets memory-resident malware nsis reflective dll injection srdi trojanized installers winos winos v4.0
- Related entities
- 31 observables, 1 intrusion sets (apt), 10 techniques (mitre), 2 malware, 3 others
Description
A malware campaign using fake software installers to deliver Winos v4.0, a memory-resident malware, has been tracked throughout 2025. The campaign, dubbed Catena, employs trojanized NSIS installers, reflective DLL loading, and shellcode-embedded INI files to evade detection. It stages payloads entirely in memory, connecting to attacker-controlled servers mainly in Hong Kong. The operation appears focused on Chinese-speaking environments and shows signs of long-term planning by a capable threat group. The infection chain involves multiple stages, including initial NSIS installers, first-stage loaders, and second-stage payloads, ultimately delivering the Winos v4.0 stager. The campaign has evolved over time, adapting its tactics to avoid detection while maintaining core infrastructure and execution logic.