Skip to main content

NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign

Medium
Published: Tue May 27 2025 (05/27/2025, 23:59:06 UTC)
Source: AlienVault OTX General

Description

A malware campaign using fake software installers to deliver Winos v4.0, a memory-resident malware, has been tracked throughout 2025. The campaign, dubbed Catena, employs trojanized NSIS installers, reflective DLL loading, and shellcode-embedded INI files to evade detection. It stages payloads entirely in memory, connecting to attacker-controlled servers mainly in Hong Kong. The operation appears focused on Chinese-speaking environments and shows signs of long-term planning by a capable threat group. The infection chain involves multiple stages, including initial NSIS installers, first-stage loaders, and second-stage payloads, ultimately delivering the Winos v4.0 stager. The campaign has evolved over time, adapting its tactics to avoid detection while maintaining core infrastructure and execution logic.

AI-Powered Analysis

AILast updated: 06/27/2025, 09:20:03 UTC

Technical Analysis

The Winos 4.0 campaign, tracked throughout 2025 and dubbed 'Catena,' represents a sophisticated malware operation leveraging trojanized NSIS (Nullsoft Scriptable Install System) installers to deliver a memory-resident malware payload known as Winos v4.0. The campaign employs advanced evasion techniques including reflective DLL injection and shellcode embedded within INI files (sRDI shellcode), enabling the entire payload to be staged and executed in memory without writing to disk, thereby reducing forensic footprints and detection by traditional antivirus solutions. The infection chain is multi-staged: initial compromise occurs via fake software installers crafted with NSIS, which then deploy a first-stage loader. This loader subsequently executes a second-stage payload that ultimately delivers the Winos v4.0 stager. The malware connects to attacker-controlled command and control (C2) servers primarily located in Hong Kong, indicating a geographically focused infrastructure. The campaign targets Chinese-speaking environments, suggesting a regional or linguistic focus, and is attributed to the Silver Fox APT group, known for long-term, well-resourced operations. The campaign demonstrates adaptability by evolving its tactics over time to avoid detection while maintaining core infrastructure and execution logic. The use of techniques such as reflective DLL injection (T1055.001), execution through trusted binaries (T1218.011, T1218.010), and living-off-the-land binaries (LOLBins) reflects a high level of operational security and sophistication. The malware's memory-resident nature complicates detection and eradication, as it avoids persistent disk artifacts. Overall, the campaign exemplifies a targeted, stealthy approach to malware delivery and execution, leveraging legitimate installer frameworks and advanced code injection methods to maintain persistence and evade defenses.

Potential Impact

For European organizations, the Winos 4.0 campaign poses a significant threat primarily if they operate within or have business ties to Chinese-speaking regions or handle data and communications involving such environments. The memory-resident nature of the malware means that traditional signature-based detection tools may fail to identify the infection, increasing the risk of prolonged undetected presence. Potential impacts include unauthorized access to sensitive information, espionage, lateral movement within networks, and disruption of operations. The use of trojanized installers could lead to supply chain compromises if software distribution channels are targeted. Furthermore, the campaign's focus on stealth and persistence could enable attackers to maintain long-term access, exfiltrate data, or deploy additional payloads. European organizations with subsidiaries, partners, or customers in affected regions may face indirect exposure. Additionally, sectors with strategic importance such as telecommunications, manufacturing, and government entities could be targeted for intelligence gathering or disruption. The campaign's reliance on living-off-the-land techniques and trusted binaries complicates incident response and remediation efforts, potentially increasing downtime and recovery costs.

Mitigation Recommendations

To mitigate the Winos 4.0 campaign, European organizations should implement a layered defense strategy tailored to the campaign's tactics. First, enforce strict software installation policies, including application whitelisting and restricting the execution of unsigned or unverified NSIS installers. Employ advanced endpoint detection and response (EDR) solutions capable of monitoring in-memory execution and detecting reflective DLL injection and shellcode execution patterns. Network monitoring should focus on identifying anomalous outbound connections, especially to IP ranges associated with Hong Kong or known C2 infrastructure. Implement behavioral analytics to detect suspicious process chains involving NSIS installers and living-off-the-land binaries. Regularly audit and restrict the use of trusted system binaries that can be abused for execution (e.g., msiexec, rundll32). Enhance user awareness training to recognize social engineering tactics that may deliver trojanized installers. Employ threat intelligence feeds to update detection rules with indicators of compromise related to the Catena campaign. Conduct regular memory forensics and incident response drills to improve detection of memory-resident threats. Finally, segment networks to limit lateral movement and enforce least privilege access controls to reduce the impact of potential compromises.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign"]
Adversary
Silver Fox APT
Pulse Id
683651cab88138e6609c3788
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip112.213.116.91
ip202.79.168.211
ip202.79.173.54
ip27.124.40.155
ip103.46.185.44
ip103.46.185.73
ip112.213.101.139
ip112.213.101.161
ip134.122.204.11
ip137.220.229.34
ip143.92.61.154
ip143.92.63.144
ip156.251.17.243
ip202.79.171.133
ip202.79.173.50
ip202.79.173.98
ip43.226.125.44

Hash

ValueDescriptionCopy
hash7e798be7f24e0d737513ce250ad74429
hashb4579bc396ace8cafd9e825ff63fe244
hash32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
hashb24ff2395a158638110e3da4dd7ce0a1bf4d86c8
hash01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
hash16c79970ed965b31281270b1be3f1f43671dfaf39464d7eac38b8b27c66661cf
hash1e57ac6ad9a20cfab1fe8edd03107e7b63ab45ca555ba6ce68f143568884b003
hash28d2477926de5d5a8ffcb708cb0c95c3aa9808d757f77b92f82ad4aa50a05cc8
hash47ad38adc3b18fb62a8e0a33e9599fd0b90d9de220d1a18b6761d035448c378f
hash4cb2cab237893d0d661e2378e7fe4e1bafbfaefd713091e26c96f7ec182b6cd0
hash4fdedadaa57412e242dc205fabdca028f6402962d3a8af427a01dd38b40d4512
hash5767d408ec37b45c7714d70ae476cb34905ad6b59830572698875fc33c3baf2f
hashb22599dd0a1c44ca1b35df16006f3085bddae3ebba6a3649ec6e4dc4cbf74865
hashb8e8a13859ed42e6e708346c555a094fdc3fbd69c3c1cb9efb43c08c86fe32d0
hashba0fd15483437a036e7f9dc91a65caa6e9b9494ed3793710257c450a30b88b8a
hashd95aed234f932a1c48a2b1b0d98c60ca31f962310c03158e2884ab4ddd3ea1e0
hashe036d5e88a51008b130673ad65872559c060deeb29a0f8da103fe6d036e9d031
hashe2490cfd25d8e66a7888f70b56ff8409494de3b3d87bc5464d3adabba8b32177

Threat ID: 6836d04b182aa0cae23f6946

Added to database: 5/28/2025, 8:58:51 AM

Last enriched: 6/27/2025, 9:20:03 AM

Last updated: 8/18/2025, 5:28:18 PM

Views: 22

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats