Cybersecurity experts warn that a newly enhanced malware framework, Winos 4.0, is targeting users through gaming-related apps like installation tools, speed boosters, and optimization utilities. Fortinet’s FortiGuard Labs describes Winos 4.0 as an advanced malicious framework offering extensive control over infected devices, allowing attackers to steal information and remotely manipulate compromised systems.
Origins and Distribution Tactics
Originally based on Gh0st RAT, Winos 4.0 has been revamped with modular features that help attackers execute complex tasks, manage infected endpoints, and evade detection. Fortinet reports that Winos 4.0 is distributed by attackers referred to as Void Arachne or Silver Fox. Leveraging black hat SEO, social media, and messaging platforms like Telegram, the malware specifically targets Chinese-speaking users.
Infection Process: Multi-Stage and Modular
The infection chain for Winos 4.0 starts when users install the tainted gaming utility, which retrieves a disguised image file from a remote server, decoding it into a DLL. This DLL sets up an execution environment by downloading three additional files, which, in turn, unpack further payloads, including executable files and additional DLLs.
One of these DLL files is labeled “学籍系统” (Student Registration System), hinting at a possible focus on educational institutions. Once active, the malware communicates with its command-and-control (C2) server to receive further instructions and deploy additional payloads.
Key Features and Capabilities of Winos 4.0
Fortinet draws comparisons between Winos 4.0 and known attack frameworks like Cobalt Strike and Sliver, noting that Winos’s modular architecture and deep system control make it particularly dangerous.
Related Threat: WrnRAT in Gambling Games
A separate campaign identified by AhnLab Security Intelligence Center (ASEC) discovered WrnRAT malware targeting users of gambling-related games. Using fake gambling sites, WrnRAT grants attackers remote control and the ability to monitor gameplay. ASEC notes that WrnRAT appears financially motivated, likely leading to financial losses for affected users.
Safety Recommendations
The emergence of Winos 4.0 highlights the evolution of malware distributed through gaming applications, especially as attackers increasingly target recreational users with complex, modular frameworks. With capabilities that rival sophisticated RATs like Cobalt Strike, Winos 4.0 underscores the need for caution and cybersecurity vigilance within the gaming community.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067