NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign

May 28, 2025, 1:16 p.m.

Description

A malware campaign using fake software installers to deliver Winos v4.0, a memory-resident malware, has been tracked throughout 2025. The campaign, dubbed Catena, employs trojanized NSIS installers, reflective DLL loading, and shellcode-embedded INI files to evade detection. It stages payloads entirely in memory, connecting to attacker-controlled servers mainly in Hong Kong. The operation appears focused on Chinese-speaking environments and shows signs of long-term planning by a capable threat group. The infection chain involves multiple stages, including initial NSIS installers, first-stage loaders, and second-stage payloads, ultimately delivering the Winos v4.0 stager. The campaign has evolved over time, adapting its tactics to avoid detection while maintaining core infrastructure and execution logic.

External References

https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign
https://otx.alienvault.com/pulse/683651cab88138e6609c3788
Tags
nsis
winos
chinese-speaking targets
2025-05-27
srdi
memory-resident malware
winos v4.0
catena loader
reflective dll injection
trojanized installers

Date

  • Created: May 27, 2025, 11:59 p.m.
  • Published: May 27, 2025, 11:59 p.m.
  • Modified: May 28, 2025, 1:16 p.m.

Indicators

  • e2490cfd25d8e66a7888f70b56ff8409494de3b3d87bc5464d3adabba8b32177
  • e036d5e88a51008b130673ad65872559c060deeb29a0f8da103fe6d036e9d031
  • d95aed234f932a1c48a2b1b0d98c60ca31f962310c03158e2884ab4ddd3ea1e0
  • ba0fd15483437a036e7f9dc91a65caa6e9b9494ed3793710257c450a30b88b8a
  • b22599dd0a1c44ca1b35df16006f3085bddae3ebba6a3649ec6e4dc4cbf74865
  • b8e8a13859ed42e6e708346c555a094fdc3fbd69c3c1cb9efb43c08c86fe32d0
  • 5767d408ec37b45c7714d70ae476cb34905ad6b59830572698875fc33c3baf2f
  • 4fdedadaa57412e242dc205fabdca028f6402962d3a8af427a01dd38b40d4512
  • 4cb2cab237893d0d661e2378e7fe4e1bafbfaefd713091e26c96f7ec182b6cd0
  • 47ad38adc3b18fb62a8e0a33e9599fd0b90d9de220d1a18b6761d035448c378f
  • 28d2477926de5d5a8ffcb708cb0c95c3aa9808d757f77b92f82ad4aa50a05cc8
  • 1e57ac6ad9a20cfab1fe8edd03107e7b63ab45ca555ba6ce68f143568884b003
  • 16c79970ed965b31281270b1be3f1f43671dfaf39464d7eac38b8b27c66661cf
  • 01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
  • 43.226.125.44
  • 202.79.173.98
  • 202.79.173.50
  • 202.79.171.133
  • 156.251.17.243
  • 143.92.63.144
  • 143.92.61.154
  • 137.220.229.34
  • 134.122.204.11
  • 112.213.101.161
  • 112.213.101.139
  • 103.46.185.73
  • 103.46.185.44
  • 27.124.40.155
  • 202.79.173.54
  • 202.79.168.211
  • 112.213.116.91
Download all indicators here!

Attack Patterns

  • Catena loader
  • Winos v4.0
  • Silver Fox APT

Additional Informations

  • Technology
  • Hong Kong
  • China