Blog Details

  • Home
  • Blog
  • Winos 4.0 Malware Spreads via Gaming Apps to Gain Full System Control
Winos 4.0 Malware Spreads via Gaming Apps to Gain Full System Control

Winos 4.0 Malware Spreads via Gaming Apps to Gain Full System Control

Cybersecurity experts warn that a newly enhanced malware framework, Winos 4.0, is targeting users through gaming-related apps like installation tools, speed boosters, and optimization utilities. Fortinet’s FortiGuard Labs describes Winos 4.0 as an advanced malicious framework offering extensive control over infected devices, allowing attackers to steal information and remotely manipulate compromised systems.

Origins and Distribution Tactics

Originally based on Gh0st RAT, Winos 4.0 has been revamped with modular features that help attackers execute complex tasks, manage infected endpoints, and evade detection. Fortinet reports that Winos 4.0 is distributed by attackers referred to as Void Arachne or Silver Fox. Leveraging black hat SEO, social media, and messaging platforms like Telegram, the malware specifically targets Chinese-speaking users.

Infection Process: Multi-Stage and Modular

The infection chain for Winos 4.0 starts when users install the tainted gaming utility, which retrieves a disguised image file from a remote server, decoding it into a DLL. This DLL sets up an execution environment by downloading three additional files, which, in turn, unpack further payloads, including executable files and additional DLLs.

One of these DLL files is labeled “学籍系” (Student Registration System), hinting at a possible focus on educational institutions. Once active, the malware communicates with its command-and-control (C2) server to receive further instructions and deploy additional payloads.

Key Features and Capabilities of Winos 4.0

  1. Data Harvesting and Surveillance: The malware captures system data, clipboard content, and even information from cryptocurrency wallet extensions like OKX Wallet and MetaMask.
  2. Backdoor Access: Winos 4.0 allows attackers to control the infected device remotely, supporting tasks such as screenshot capture and document exfiltration.
  3. Modular Plugins: The C2 server can deliver extra plugins, adding new capabilities to suit the attacker’s needs.

Fortinet draws comparisons between Winos 4.0 and known attack frameworks like Cobalt Strike and Sliver, noting that Winos’s modular architecture and deep system control make it particularly dangerous.

Related Threat: WrnRAT in Gambling Games

A separate campaign identified by AhnLab Security Intelligence Center (ASEC) discovered WrnRAT malware targeting users of gambling-related games. Using fake gambling sites, WrnRAT grants attackers remote control and the ability to monitor gameplay. ASEC notes that WrnRAT appears financially motivated, likely leading to financial losses for affected users.

Safety Recommendations

  1. Avoid downloading from unverified sources: Stick to official game and utility sources, avoiding third-party sites or dubious downloads.
  2. Limit app permissions: Review permissions granted to gaming utilities and avoid any app requesting system-level permissions without clear necessity.
  3. Use reliable antivirus software: Invest in trusted security software to help detect and prevent malware infections.

The emergence of Winos 4.0 highlights the evolution of malware distributed through gaming applications, especially as attackers increasingly target recreational users with complex, modular frameworks. With capabilities that rival sophisticated RATs like Cobalt Strike, Winos 4.0 underscores the need for caution and cybersecurity vigilance within the gaming community.

 

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067