NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign
A malware campaign using fake software installers to deliver Winos v4.0, a memory-resident malware, has been tracked throughout 2025. The campaign, dubbed Catena, employs trojanized NSIS installers, reflective DLL loading, and shellcode-embedded INI files to evade detection. It stages payloads entirely in memory, connecting to attacker-controlled servers mainly in Hong Kong. The operation appears focused on Chinese-speaking environments and shows signs of long-term planning by a capable threat group. The infection chain involves multiple stages, including initial NSIS installers, first-stage loaders, and second-stage payloads, ultimately delivering the Winos v4.0 stager. The campaign has evolved over time, adapting its tactics to avoid detection while maintaining core infrastructure and execution logic.
AI Analysis
Technical Summary
The Winos 4.0 campaign, tracked throughout 2025 and dubbed 'Catena,' represents a sophisticated malware operation leveraging trojanized NSIS (Nullsoft Scriptable Install System) installers to deliver a memory-resident malware payload known as Winos v4.0. The campaign employs advanced evasion techniques including reflective DLL injection and shellcode embedded within INI files (sRDI shellcode), enabling the entire payload to be staged and executed in memory without writing to disk, thereby reducing forensic footprints and detection by traditional antivirus solutions. The infection chain is multi-staged: initial compromise occurs via fake software installers crafted with NSIS, which then deploy a first-stage loader. This loader subsequently executes a second-stage payload that ultimately delivers the Winos v4.0 stager. The malware connects to attacker-controlled command and control (C2) servers primarily located in Hong Kong, indicating a geographically focused infrastructure. The campaign targets Chinese-speaking environments, suggesting a regional or linguistic focus, and is attributed to the Silver Fox APT group, known for long-term, well-resourced operations. The campaign demonstrates adaptability by evolving its tactics over time to avoid detection while maintaining core infrastructure and execution logic. The use of techniques such as reflective DLL injection (T1055.001), execution through trusted binaries (T1218.011, T1218.010), and living-off-the-land binaries (LOLBins) reflects a high level of operational security and sophistication. The malware's memory-resident nature complicates detection and eradication, as it avoids persistent disk artifacts. Overall, the campaign exemplifies a targeted, stealthy approach to malware delivery and execution, leveraging legitimate installer frameworks and advanced code injection methods to maintain persistence and evade defenses.
Potential Impact
For European organizations, the Winos 4.0 campaign poses a significant threat primarily if they operate within or have business ties to Chinese-speaking regions or handle data and communications involving such environments. The memory-resident nature of the malware means that traditional signature-based detection tools may fail to identify the infection, increasing the risk of prolonged undetected presence. Potential impacts include unauthorized access to sensitive information, espionage, lateral movement within networks, and disruption of operations. The use of trojanized installers could lead to supply chain compromises if software distribution channels are targeted. Furthermore, the campaign's focus on stealth and persistence could enable attackers to maintain long-term access, exfiltrate data, or deploy additional payloads. European organizations with subsidiaries, partners, or customers in affected regions may face indirect exposure. Additionally, sectors with strategic importance such as telecommunications, manufacturing, and government entities could be targeted for intelligence gathering or disruption. The campaign's reliance on living-off-the-land techniques and trusted binaries complicates incident response and remediation efforts, potentially increasing downtime and recovery costs.
Mitigation Recommendations
To mitigate the Winos 4.0 campaign, European organizations should implement a layered defense strategy tailored to the campaign's tactics. First, enforce strict software installation policies, including application whitelisting and restricting the execution of unsigned or unverified NSIS installers. Employ advanced endpoint detection and response (EDR) solutions capable of monitoring in-memory execution and detecting reflective DLL injection and shellcode execution patterns. Network monitoring should focus on identifying anomalous outbound connections, especially to IP ranges associated with Hong Kong or known C2 infrastructure. Implement behavioral analytics to detect suspicious process chains involving NSIS installers and living-off-the-land binaries. Regularly audit and restrict the use of trusted system binaries that can be abused for execution (e.g., msiexec, rundll32). Enhance user awareness training to recognize social engineering tactics that may deliver trojanized installers. Employ threat intelligence feeds to update detection rules with indicators of compromise related to the Catena campaign. Conduct regular memory forensics and incident response drills to improve detection of memory-resident threats. Finally, segment networks to limit lateral movement and enforce least privilege access controls to reduce the impact of potential compromises.
Affected Countries
United Kingdom, Germany, France, Netherlands, Belgium, Sweden, Italy
Indicators of Compromise
- ip: 112.213.116.91
- ip: 202.79.168.211
- ip: 202.79.173.54
- ip: 27.124.40.155
- hash: 7e798be7f24e0d737513ce250ad74429
- hash: b4579bc396ace8cafd9e825ff63fe244
- hash: 32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
- hash: b24ff2395a158638110e3da4dd7ce0a1bf4d86c8
- hash: 01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
- hash: 16c79970ed965b31281270b1be3f1f43671dfaf39464d7eac38b8b27c66661cf
- hash: 1e57ac6ad9a20cfab1fe8edd03107e7b63ab45ca555ba6ce68f143568884b003
- hash: 28d2477926de5d5a8ffcb708cb0c95c3aa9808d757f77b92f82ad4aa50a05cc8
- hash: 47ad38adc3b18fb62a8e0a33e9599fd0b90d9de220d1a18b6761d035448c378f
- hash: 4cb2cab237893d0d661e2378e7fe4e1bafbfaefd713091e26c96f7ec182b6cd0
- hash: 4fdedadaa57412e242dc205fabdca028f6402962d3a8af427a01dd38b40d4512
- hash: 5767d408ec37b45c7714d70ae476cb34905ad6b59830572698875fc33c3baf2f
- hash: b22599dd0a1c44ca1b35df16006f3085bddae3ebba6a3649ec6e4dc4cbf74865
- hash: b8e8a13859ed42e6e708346c555a094fdc3fbd69c3c1cb9efb43c08c86fe32d0
- hash: ba0fd15483437a036e7f9dc91a65caa6e9b9494ed3793710257c450a30b88b8a
- hash: d95aed234f932a1c48a2b1b0d98c60ca31f962310c03158e2884ab4ddd3ea1e0
- hash: e036d5e88a51008b130673ad65872559c060deeb29a0f8da103fe6d036e9d031
- hash: e2490cfd25d8e66a7888f70b56ff8409494de3b3d87bc5464d3adabba8b32177
- ip: 103.46.185.44
- ip: 103.46.185.73
- ip: 112.213.101.139
- ip: 112.213.101.161
- ip: 134.122.204.11
- ip: 137.220.229.34
- ip: 143.92.61.154
- ip: 143.92.63.144
- ip: 156.251.17.243
- ip: 202.79.171.133
- ip: 202.79.173.50
- ip: 202.79.173.98
- ip: 43.226.125.44
NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign
Description
A malware campaign using fake software installers to deliver Winos v4.0, a memory-resident malware, has been tracked throughout 2025. The campaign, dubbed Catena, employs trojanized NSIS installers, reflective DLL loading, and shellcode-embedded INI files to evade detection. It stages payloads entirely in memory, connecting to attacker-controlled servers mainly in Hong Kong. The operation appears focused on Chinese-speaking environments and shows signs of long-term planning by a capable threat group. The infection chain involves multiple stages, including initial NSIS installers, first-stage loaders, and second-stage payloads, ultimately delivering the Winos v4.0 stager. The campaign has evolved over time, adapting its tactics to avoid detection while maintaining core infrastructure and execution logic.
AI-Powered Analysis
Technical Analysis
The Winos 4.0 campaign, tracked throughout 2025 and dubbed 'Catena,' represents a sophisticated malware operation leveraging trojanized NSIS (Nullsoft Scriptable Install System) installers to deliver a memory-resident malware payload known as Winos v4.0. The campaign employs advanced evasion techniques including reflective DLL injection and shellcode embedded within INI files (sRDI shellcode), enabling the entire payload to be staged and executed in memory without writing to disk, thereby reducing forensic footprints and detection by traditional antivirus solutions. The infection chain is multi-staged: initial compromise occurs via fake software installers crafted with NSIS, which then deploy a first-stage loader. This loader subsequently executes a second-stage payload that ultimately delivers the Winos v4.0 stager. The malware connects to attacker-controlled command and control (C2) servers primarily located in Hong Kong, indicating a geographically focused infrastructure. The campaign targets Chinese-speaking environments, suggesting a regional or linguistic focus, and is attributed to the Silver Fox APT group, known for long-term, well-resourced operations. The campaign demonstrates adaptability by evolving its tactics over time to avoid detection while maintaining core infrastructure and execution logic. The use of techniques such as reflective DLL injection (T1055.001), execution through trusted binaries (T1218.011, T1218.010), and living-off-the-land binaries (LOLBins) reflects a high level of operational security and sophistication. The malware's memory-resident nature complicates detection and eradication, as it avoids persistent disk artifacts. Overall, the campaign exemplifies a targeted, stealthy approach to malware delivery and execution, leveraging legitimate installer frameworks and advanced code injection methods to maintain persistence and evade defenses.
Potential Impact
For European organizations, the Winos 4.0 campaign poses a significant threat primarily if they operate within or have business ties to Chinese-speaking regions or handle data and communications involving such environments. The memory-resident nature of the malware means that traditional signature-based detection tools may fail to identify the infection, increasing the risk of prolonged undetected presence. Potential impacts include unauthorized access to sensitive information, espionage, lateral movement within networks, and disruption of operations. The use of trojanized installers could lead to supply chain compromises if software distribution channels are targeted. Furthermore, the campaign's focus on stealth and persistence could enable attackers to maintain long-term access, exfiltrate data, or deploy additional payloads. European organizations with subsidiaries, partners, or customers in affected regions may face indirect exposure. Additionally, sectors with strategic importance such as telecommunications, manufacturing, and government entities could be targeted for intelligence gathering or disruption. The campaign's reliance on living-off-the-land techniques and trusted binaries complicates incident response and remediation efforts, potentially increasing downtime and recovery costs.
Mitigation Recommendations
To mitigate the Winos 4.0 campaign, European organizations should implement a layered defense strategy tailored to the campaign's tactics. First, enforce strict software installation policies, including application whitelisting and restricting the execution of unsigned or unverified NSIS installers. Employ advanced endpoint detection and response (EDR) solutions capable of monitoring in-memory execution and detecting reflective DLL injection and shellcode execution patterns. Network monitoring should focus on identifying anomalous outbound connections, especially to IP ranges associated with Hong Kong or known C2 infrastructure. Implement behavioral analytics to detect suspicious process chains involving NSIS installers and living-off-the-land binaries. Regularly audit and restrict the use of trusted system binaries that can be abused for execution (e.g., msiexec, rundll32). Enhance user awareness training to recognize social engineering tactics that may deliver trojanized installers. Employ threat intelligence feeds to update detection rules with indicators of compromise related to the Catena campaign. Conduct regular memory forensics and incident response drills to improve detection of memory-resident threats. Finally, segment networks to limit lateral movement and enforce least privilege access controls to reduce the impact of potential compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign"]
- Adversary
- Silver Fox APT
- Pulse Id
- 683651cab88138e6609c3788
- Threat Score
- null
Indicators of Compromise
Ip
Value | Description | Copy |
---|---|---|
ip112.213.116.91 | — | |
ip202.79.168.211 | — | |
ip202.79.173.54 | — | |
ip27.124.40.155 | — | |
ip103.46.185.44 | — | |
ip103.46.185.73 | — | |
ip112.213.101.139 | — | |
ip112.213.101.161 | — | |
ip134.122.204.11 | — | |
ip137.220.229.34 | — | |
ip143.92.61.154 | — | |
ip143.92.63.144 | — | |
ip156.251.17.243 | — | |
ip202.79.171.133 | — | |
ip202.79.173.50 | — | |
ip202.79.173.98 | — | |
ip43.226.125.44 | — |
Hash
Value | Description | Copy |
---|---|---|
hash7e798be7f24e0d737513ce250ad74429 | — | |
hashb4579bc396ace8cafd9e825ff63fe244 | — | |
hash32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c | — | |
hashb24ff2395a158638110e3da4dd7ce0a1bf4d86c8 | — | |
hash01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b | — | |
hash16c79970ed965b31281270b1be3f1f43671dfaf39464d7eac38b8b27c66661cf | — | |
hash1e57ac6ad9a20cfab1fe8edd03107e7b63ab45ca555ba6ce68f143568884b003 | — | |
hash28d2477926de5d5a8ffcb708cb0c95c3aa9808d757f77b92f82ad4aa50a05cc8 | — | |
hash47ad38adc3b18fb62a8e0a33e9599fd0b90d9de220d1a18b6761d035448c378f | — | |
hash4cb2cab237893d0d661e2378e7fe4e1bafbfaefd713091e26c96f7ec182b6cd0 | — | |
hash4fdedadaa57412e242dc205fabdca028f6402962d3a8af427a01dd38b40d4512 | — | |
hash5767d408ec37b45c7714d70ae476cb34905ad6b59830572698875fc33c3baf2f | — | |
hashb22599dd0a1c44ca1b35df16006f3085bddae3ebba6a3649ec6e4dc4cbf74865 | — | |
hashb8e8a13859ed42e6e708346c555a094fdc3fbd69c3c1cb9efb43c08c86fe32d0 | — | |
hashba0fd15483437a036e7f9dc91a65caa6e9b9494ed3793710257c450a30b88b8a | — | |
hashd95aed234f932a1c48a2b1b0d98c60ca31f962310c03158e2884ab4ddd3ea1e0 | — | |
hashe036d5e88a51008b130673ad65872559c060deeb29a0f8da103fe6d036e9d031 | — | |
hashe2490cfd25d8e66a7888f70b56ff8409494de3b3d87bc5464d3adabba8b32177 | — |
Threat ID: 6836d04b182aa0cae23f6946
Added to database: 5/28/2025, 8:58:51 AM
Last enriched: 6/27/2025, 9:20:03 AM
Last updated: 8/18/2025, 5:28:18 PM
Views: 22
Related Threats
Fake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft
MediumPhishing Scam with Fake Copyright Notices Drops New Noodlophile Stealer Variant
MediumThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.