Ddos 
A stealthy, memory-resident malware campaign is silently infiltrating systems using trojanized software installers for popular apps like QQBrowser, LetsVPN, and Chrome. Tracked by Rapid7 since February 2025, the campaign leverages a multi-stage loader called Catena to deploy Winos v4.0, a remote access tool (RAT) that evades detection by running entirely in memory.
The infection chain—dubbed Catena by Rapid7—uses NSIS installers embedded with shellcode .ini files and malicious DLLs, creating a modular attack structure. These loaders employ reflective DLL injection and sRDI (Shellcode Reflective DLL Injection) techniques to execute malware without touching disk.
The Catena chain typically unfolds as follows:
- Installer Execution: User launches a trojanized installer (e.g., QQBrowser_Setup_x64.exe or Lets.15.0.exe).
- Stage 1: Installs decoy app, drops insttect.exe, Single.ini, and disables Microsoft Defender.
- Stage 2: Deploys second-stage payloads (intel.dll, Config.ini, Config2.ini) in %APPDATA%\TrustAsia.
- Payload Execution: Launches payload via regsvr32.exe and monitors processes to trigger alternate behaviors.
“All observed samples relied on NSIS installers bundled with signed decoy apps, shellcode embedded in .ini files, and reflective DLL injection to quietly maintain persistence and avoid detection,” the report states.
Catena uses a clever blend of persistence mechanisms to maintain its foothold:
- Scheduled Tasks via PowerShell scripts (updated.ps1, PolicyManagement.xml)
- Watchdog Scripts (monitor.bat) to relaunch the loader if killed
- Mutex Logic to switch between payloads (Config.ini vs. Config2.ini)
- Decoy Apps and Expired Legitimate Certificates for social engineering
Notably, the malware includes system locale checks targeting Chinese environments:
“Interestingly, the malware includes a language check that looks for Chinese language settings… Even if the system isn’t using Chinese, the malware still executes.”
At the end of the chain, Catena deploys Winos v4.0, a 112KB memory-resident stager packed with command-and-control (C2) logic and configuration settings.
- Exported function: VFPower
- Debug path: C:\Users\Administrator\Desktop\Quick4\主插件\Release\上线模块.pdb
- Uses CreateMutexA and dynamic memory allocation to load next-stage payloads
- Embedded configuration includes beacon intervals, C2 ports (e.g., 134.122.204[.]11:6074), and runtime logic
“The malware has used Windows sockets and the getaddrinfo API to resolve a hardcoded IP and port… then retrieves the next-stage payload from the C2 server and executes it directly in memory.”
From PowerShell loaders to regsvr32.exe-based DLL injection, the Catena framework is constantly evolving:
- Earlier variants used VBScript and PowerShell (
Axialis.ps1,Decision.vbs) - Recent variants invoke DLLs directly with regsvr32 to avoid PowerShell logging
- Decoy installers remain signed and visually authentic, making user detection nearly impossible
While the malware does not enforce language checks, numerous indicators (hardcoded mutex names, PDB paths, app decoys, and infrastructure) strongly suggest a target focus on Chinese-speaking environments.
Infrastructure associated with the campaign is hosted predominantly in Hong Kong, with additional nodes identified via Shodan:
- 103.46.185[.]44
- 112.213.101[.]139
- 47.238.125[.]85
- 137.220.229[.]34
- 202.79.171[.]133
- …and others
“Infrastructure overlaps and language-based targeting hint at ties to Silver Fox APT, with activity likely aimed at Chinese-speaking environments,” the report concludes.
Donate